Analyst firm, Gartner has warned that many virtualization
deployment projects are being undertaken without involving the
information security team in the initial architecture and planning
stages. As a result, the firm says that till 2012, 60 percent of
virtualized servers will be less secure than the physical servers
they replace.
Gartner research indicates that at the end of 2009, only 18
percent of enterprise data center workloads that could be
virtualized had been virtualized; the number is expected to grow to
more than 50 percent by the close of 2012. As more workloads are
virtualized, as workloads of different trust levels are combined
and as virtualized workloads become more mobile, the security
issues associated with virtualization become more critical to
address.
Gartner has identified the six most common virtualization security
risks together with advice on how each issue might be
addressed:
Risk #1: Information Security is not
initially involved in virtualization projects
Survey
data from Gartner conferences in late 2009 indicates that about 40
percent of virtualization deployment projects were undertaken
without involving the information security team in the initial
architecture and planning stages. Typically, the operations teams
will argue that nothing has really changed — they already
have skills and processes to secure workloads, operating systems
(OSs) and the hardware underneath. While true, this argument
ignores the new layer of software in the form of a hypervisor and
virtual machine monitor (VMM) that is introduced when workloads are
virtualized.
Gartner said that security professionals need to realize that risk
that isn't acknowledged and communicated cannot be managed. They
should start by looking at extending their security processes,
rather than buying more security, to address security in
virtualized data centers.
Risk #2: A compromise of the virtualization
layer could result in the compromise of all hosted
workloads
The virtualization layer represents another important IT platform
in the infrastructure, and like any software written by human
beings, this layer will inevitably contain embedded and
yet-to-be-discovered vulnerabilities that may be exploitable. Given
the privileged level that the hypervisor/VMM holds in the stack,
hackers have already begun targeting this layer to potentially
compromise all the workloads hosted above it. From an IT security
and management perspective, this layer must be patched, and
configuration guidelines must be established.
Gartner recommends that organizations treat this layer as the most
critical x86 platform in the enterprise data center and keep it as
thin as possible, while hardening the configuration to unauthorized
changes. Virtualization vendors should be required to support
measurement of the hypervisor/VMM layer on boot-up to ensure it has
not been compromised. Above all, organizations should not rely on
host-based security controls to detect a compromise or protect
anything running below it.
Risk #3: The lack of visibility and
controls on internal virtual networks created for VM-to-VM
communications blinds existing security policy enforcement
mechanisms
For efficiency in communications between virtual machines (VMs),
most virtualization platforms include the ability to create
software-based virtual networks and switches inside of the physical
host to enable VMs to communicate directly. This traffic will not
be visible to network-based security protection devices, such as
network-based intrusion prevention systems.
Gartner recommends that at a minimum, organizations require the
same type of monitoring they place on physical networks, so that
they don't lose visibility and control when workloads and networks
are virtualized. To reduce the chance of misconfiguration and
mismanagement, they should favor security vendors that span
physical and virtual environments with a consistent policy
management and enforcement framework.
"Disclaimer Note: "InformationWeek India and UBM India do not endorse, and have not verified the views and claims expressed in this vendor Press Release."