Is Virtual Security Really Secure?

By Gail Dutton
published: Thursday, August 21 2008

 "At a high level "there's nothing new - everybody continues to get it all wrong, all the time," according to Secerno founder and CTO, Steve Moyle. At the technical level, though, "Some of the challenges from virtual environments are starting to unwind the gains made."

Virtualized machines aren't inherently riskier than physical systems, but the consequences of any breach are much greater. Because virtualized environments provide access to multiple assets, "virtualization presents a delicious target for attacks," Moyle says.

Hypervisors are a particular concern. While they go a long way towards streamlining management, once breached, they offer hackers the ability to run rampant throughout the computer system.  Rumors of a hypervisor root kit that can precipitate a doomsday scenario by infiltrating a system have been floating throughout the security community for some months now and are particularly unsettling, notes Michael Berman, Catbird CTO. "People are very afraid of the harm malware may do to a hypervisor," he underscores. Aside to the harm the malware itself can do, it can also ruin careers because, as Berman points out, "a compromised virtual environment looks exactly like a malicious administrator. So, if you protect against an administrator, you've protected against that environment."

Flexibility is the hallmark of virtualization and one of its chief attractions, yet, flexibility is the enemy of security. That conundrum is one of the often unforeseen "got-cha's" faced by administrators. Oftentimes, they see the benefits but underestimate the complexity inherent in virtual environments and don't fully understand its systemic ramifications. "A data center guy isn't a security guy," Tamar Newberger, Catbird's VP of marketing Newberger emphasizes, "and virtualization is so new that neither may have the language to ask the questions." Consequently, visibility decreases so that administrators don't necessarily know what operations are running on which machines.

"Administrators don't know they opened a big hole," Newberger explains, so the risks are usually inadvertent human errors that can be decreased by implementing the right combination of policies, controls and automation," she notes. The challenge is one of education. 

"Risks in a virtual world are different, and yet the same," Moyle adds, and are wrapped in a layer of complexity that administrators often underestimate. For example, Anthony James, vp of products for security vendor Fortinet, Inc. says, "There are some instances where you can open holes in the infrastructure if you don't follow certain procedures." Hosting multiple customers on one server, for instance, can increase the potential exposure of all customers on that server unless security is designed for such instances.

Security that is added as an after-thought is almost certain to fail. To prevent such failures, IT executives need to design security upfront, beginning with the risk analysis. "We find that people tend to first provision the servers and then think about how to secure them," Moyle says. What's better, he says, is to "insist that security is up before provisioning the machines."

Virtualization isn't inherently riskier than physical systems. The risk depends upon how the environment it managed. The foundation of any robust security scheme, regardless of whether it's physical or virtual, is a firm understanding of the organization's assets and ways to increase their benefits, as well as any potential threats and potential mitigations.

The assets and benefits will vary among companies, but the weaknesses often are similar. In the case of virtualization, a chief concern is that the entire system can be accessed from one point. To put that management boon into security terms, Berman explains that "in a physical environment, standing up a new server required the cooperation of many groups and individuals, so any changes would have had a chance of review by multiple people." Collusion to create mischief is difficult in that environment and honest mistakes are often caught and corrected before systems go online. In contrast, "in a virtualized environment, an administrator can stand up a server in five minutes, but it may not be secure or compliant," Berman says. Collusion isn't needed, and security gaps may not be noticed because fewer eyes are trained on the deployment.

 The virtual environment has the usual security concerns involving optimizing resources and hardware platforms, but the virtualization adds another layer that also must be considered. Newberger advocates a redundant "belts and braces" approach, as well as functional segregation and auditing. For virtualization, such a comprehensive approach requires a few tweaks to the infrastructure and to the security policy to ensure that it's updated to consider virtualization.

Segregation was an early attempt to address vulnerabilities in physical environments. Geographic separation provided some protection from natural disasters. As systems were networked, however, physical separation was insufficient to protect their data. Consequently, networks were segregated based upon IP addresses so that certain computers could communicate only in certain ways -or not at all - with specific servers. Likewise, users could access only the portions of the network that were relevant to their work.

Virtual environments, however, are making that type of segregation pointless. "In a virtualized environment, we no longer have meaningful IP addresses," Molye says, so they can't be used for segregation.