Virtualization is proving to be a technology of choice for certain cost-saving initiatives, but industry observers are sounding the alarms on the security realities of a virtual enterprise.
It’s the nature of the threat landscape: attackers move where emerging technology moves. As virtualization increasingly gains momentum in the enterprise, it will start to become the target of new security threats, cautioned Neil MacDonald, vice-president with Stamford, Conn.-based market research firm Gartner Inc.
“Many organizations mistakenly assume that their approach for securing virtual machines will be the same as securing any OS (operating system) and thus plan to apply their existing configuration guidelines, standards and tools,” said MacDonald.
While that might be a good starting point, it will not provide sufficient protection for virtual machines, he explained.
Gartner also pointed out that the tools and technologies for addressing security issues with virtualization are either “immature or non-existent.” As a result, the firm predicts that through 2009, 60 per cent of production-level virtual machines will be less secure than their physical counterparts.
In its latest Internet Security Threat Report (ISTR), a compila-tion and analysis of IT security activities worldwide, Symantec Corp. cited virtualization-related security attacks as among the trends to watch for in the near future.
“Virtualization, in a lot of instances, is being touted as a security solution,” said Dean Turner, executive editor of the ISTR. He warned that as adoption of virtualization increases new attacks will be developed that will target virtual environments with the goal of compromising host systems.
There is, however, merit to the argument that virtualization can, in some ways, benefit security, said John Sloan, senior research analyst at London, Ont.-based Info-Tech Research Group.
Virtualization is the process of creating virtual instances of operating systems running on a single — but usually powerful — hardware. A software layer runs on top of the hardware which enables the creation of virtual machines. The virtual instances, therefore, are isolated from the physical layer running underneath it.
“There is some positive potential there for security in a sense that if some malicious agent is targeting a server that is running a certain software, they can’t really gain control of the physical machine because that (targeted) software is actually running on a virtual machine,” explained Sloan. The attacker, in essence, would only succeed in corrupting the virtual instance and not the physical machine.
Recovery from such an attack is also faster than if an attack would occur on a physical server. The administrator can simply take down the virtual machine, remove the threat and restart a new virtual instance from a clean template, said Sloan.
The threat emerges if an attacker manages to gain access to the OS that’s hosting all the virtual machines from the physical box. Theoretically, by compromising the host OS an attacker can take down all the virtual machines running on that system, or create a new virtual machine that can do the attacker’s bidding, the Info-Tech analyst said.
Gartner analysts suggest that companies considering virtualization deployment should start planning for security prior to implementation – ideally, prior to vendor and product selection so that “security and securability can be factored into the evaluation and selection process.”
“Organizations need to pressure security and virtualization vendors to plug the major security gaps,” said MacDonald. He added that while existing virtualization products address some of these gaps, “it will take several years for the tools and vendors to evolve, as well as organizations to mature their processes and staff skills.”
The realization of the security risks associated with virtualization, however, may not be top-of-mind yet among enterprise security managers because the enterprise market is not “seeing a lot of implementations of virtualization,” according to Francis Ho, executive committee member of Toronto-based Federation of Security Professionals (FSP).
FSP is an association of enterprise IT security practitioners providing continuing security training and seminars for Canadian IT security professionals.
“[Companies] have not wholly bought into the virtualization space just yet,” said Ho.
However, from a security standpoint, Ho said that firms considering virtualization “have to think of the reasons why you’re doing it other than cost savings.”
For organizations that have implemented or are considering implementing virtualization, the concern is not typically about whether the technology would make them less secure, but more about the implications to the security management aspect of administration, said Info-Tech’s Sloan.
“[Administrators] still have physical machines that are…going to have to be secured as always, but now they are going to have a whole bunch of virtual machines running on top of that, and that represents a new layer that has to be secured, which is going to make [their] security management that much more complicated,” he explained.
Gartner recommends that in implementing virtualization, companies should consider such security issues as patching and signature updates for virtual machines, protecting virtualization software as it becomes a new target of attacks, and security policies for mobile virtual machines.