The Virtualization Bulldozer and Security: Time to Get Your Head Out of the Sand
October 7, 2011 Leave a comment
- Security teams should educate themselves on the options available specifically to protect virtual servers and desktops
- Security teams should seek to get involved in virtualization projects early in the planning process
Chief information security officers (CISOs) and security teams should educate themselves on the growing array of threat management products aimed specifically at securing virtual server and/or virtual desktop environments. Why? Because traditional security methods do not scale nor do they match the flexibility required in virtualized environments, or directly protect the hypervisor from breaches. At the same time, the first generation of virtualized endpoint protection, firewalls and other threat management products take up too much overhead, which greatly diminishes the benefits of virtualization that most organizations are seeking. They require an instance of their scanners per-VM, taking up critical CPU and memory, and when multiple signature scanners in a single physical host all update signatures at the same time, it creates a scan storm that can bring a server to its knees.
Security teams should also lobby to get involved in new virtualization projects in the planning stages of those initiatives. The objective is to architect security into the design of the virtualized system, as opposed to a bolt-on afterthought. VMware officials at the most recent VMworld spoke of how the security team is pulled in at the last minute, and then frequently ignored when it raises objections or puts up road blocks in order to protect data and systems.
Armed with the knowledge of how more effective virtualization security products and best practices can enable such projects to move forward with the proper security controls in place (which do not limit flexibility or impose great overhead), the security team can exert greater influence over the design of a virtualized system or application from the start, and insure the security and compliance of those projects (see Virtualization Security in 2011: Time to Regroup?, October 5, 2011).
After all this time, you’d think that this would be a no brainer. But in fact a study conducted by InformationWeek in its InformationWeek Analytics Virtualization Security Survey found that attitudes have changed very little over the last three years when it comes to securing virtual servers and desktops. Between May 2008 and September 2010, there was almost no change in the attitude that virtual servers are just as safe, if not safer than physical servers – and 3/4ths of the respondents felt that way. During the same time frame the percentage of those that had virtual machine security provisions in place barely moved from 12 percent down to 10 percent.
Another survey done by Symantec found that enterprises are increasingly interested in virtualizing mission critical business applications. As those migrations occur, they become an even more tempting target for cyber criminals looking to steal valuable customer data or intellectual property. It’s one thing to fall short in protecting virtualized test and dev applications, and another thing to fail to protect mission critical applications.
To be clear, just using VLAN tagging to keep separate different types of traffic is not secure, nor does it scale, nor is it flexible enough in environments where virtual machines are vMotioned from one physical server or data center to another. And it does not protect against hyperjacking. At the same time, traditional firewalls can’t ensure that security policies and enforcement follow the movement of virtual machines as they are vMotioned, and they don’t provide visibility into or control over VM to VM communication within the same physical server, since that interaction never hits the wire.