Server virtualization is growing as a critical component of system and data center design. However, there are many who claim it adds additional vulnerabilities to already complex security environments. So is this true? Is virtualization increasing organizational risk? And if it is, is the value gained worth a little risk acceptance?
When microcomputer-based servers began to supplant mainframes and mini-computers as core business information processing systems, microcomputer technology was far behind its current state. Placing a single solution on each server was recommended by companies like Microsoft to ensure expected performance and reduce the risk of incompatibilities. The approach worked, but it created data centers with potentially hundreds of single-purpose servers.
As the number of servers increased, so did management headaches. Further, improvements in hardware technology, coupled with end-of-life server replacements, resulted in data centers full of servers with underused resources. The time was right for virtualization.
Virtualization started out slowly, feeling its way through the information architecture landscape. Over time, it became the core of many server implementation strategies. According to William Hau and Rudolph Araujo of Foundstone:
A recent [virtualization] industry conference drew more than 10,000 attendees, putting virtualization in the same league of technologies as Java and Linux.
Server and desktop virtualization has moved from being a buzzword to becoming a reality that will define the way organizations leverage information technology.Source: Virtualization and Risk – Key Security Considerations for your Enterprise Architecture
Virtualization has taken hold because it helps organization address many day-to-day issues associated with server technology, including:
- Hardware pooling. Multiple virtual servers can share a single hardware platform's resources, maximizing an organization's investment.
- Underlying hardware is not an issue. Virtual environments abstract hardware from guest virtual server environments. Vendors and business users of applications and operating systems have less to worry about when trying to deploy a solution on a variety of hardware platforms.
- Secure logging. Hypervisors, or virtual machine managers (VMM), log events from beneath guest environments. So even if logs in the virtual machine are modified or destroyed, the VMM logs are still available for security or troubleshooting activities.
- Server implementation via standard images. Once a virtual server is created, with appropriate baseline security settings, patches applied, and other environment-specific settings, an organization can save an image. The image can be used for recovery or to create other servers of the same type (i.e., email, database, file and print, etc.).
- Quick Recovery from business continuity events. If hardware fails or a virtual server is somehow corrupted, rebuilding the environment from a stored virtual image is a quick way to restore services. And because the hardware is abstracted from the virtual machine, a critical server can be restored on a hardware platform different from the normal production system, without having to worry about incompatibilities.
- Security testing. Building baselines for both servers and network behavior is a big part of security management. Testing configurations with virtual servers is a good way to quickly throw up a server, test, and tear it down once testing is complete.
What are the risks of virtualization?
Like any new technology, virtualization requires a shift in the way we manage our information infrastructure. Three potential risks IT managers must address include proliferation, shifting network baselines, and rollback vulnerabilities.
The ease with which engineers can deploy virtual servers is both an advantage and a disadvantage. Traditional server deployment required purchase or repurposing of an actual piece of hardware. It was easy to control this process with standard change management processes. Virtualization changes the game.
Today, engineers can create virtual servers on any virtualized hardware platform simply by deploying the relevant image. They can do this without the checks and balances mandated by spending more money. This capability can actually result in more servers to manage, with a greater number falling under the radar of security analysts, auditors, etc.
When configuring security or performance monitoring solutions, a stable network baseline is assumed. However, the ability to build-tear down-build virtual servers at will can work havoc upon baselines. This includes already established baselines, causing unreliable monitoring results.
Finally, using virtual images to roll back virtual servers because of problems with an update, upgrade, or patch can move a server back in time. A time before critical security patches were applied, for example.
All three of these risks are caused by changes in how server deployment is managed. Adjusting administrative controls (i.e., change management policies and processes) to include special virtualization considerations is the first step. Organizations must follow policy changes with modifications to compliance oversight processes.
Now that we've looked at some common administrative vulnerabilities, let's move to attacks against virtual environments.
Proof of concept exploits, like Blue Pill, SubVirt, and Xensploit, have demonstrated unique vulnerabilities related to VMMs. However, no known attack has occurred. Further, anti-malware vendors have significantly improved their products' ability to detect these types of infections. (See McAfee's Total Protection for Virtualization solution.) The bottom line? Use common sense and knowledge of virtualization security issues to design reasonable and appropriate virtual server controls. Although the technology might be new, the general approach for protecting it hasn't changed.
The final word
So is virtualization worth the risk? Absolutely. The business value gained from properly managed virtualization far exceeds any real or perceived risk. More specifically, the additional risk is minimal when the technology is properly managed, while improvements to business continuity and ROI are significant. So go forth and virtualize.
Tell us what you think
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.