Four virtualization security basics to watch

While mobile and smartphone security is the hot topic of the moment among virtualization security gurus, plenty of other virtualization security topics demand IT's attention right now.

While mobile and smartphone security is the hot topic of the moment among virtualization security gurus, plenty of other virtualization security topics demand IT's attention right now. At the recent RSA Security Conference in San Francisco, the interest in virtualization security ran high - with good reason. Different IT departments are at different points on their virtualization journeys, of course, and some are still thinking about security in the old physical world terms, analysts say.

"There's still a lot of question about how to approach security on virtualized servers," says Phil Hochmuth, program manager for security products at IDC.

By 2012 half of all the workloads run in corporate data centers will run on virtualized platforms -- whether virtual servers or cloud platforms; by 2015, 40 per cent of the security software that controls inside corporate data centers will be fully virtualized, according to a November, 2010 report from Gartner.

Basic security tools such as intrusion protection don't work well with virtual machines because they're harder to define by geography, IP or MAC address, and it's hard for external software to see or filter communications between VMs on a single physical server, notes Neil MacDonald, VP and Gartner Fellow, who co-wrote the report.

With most tools, it's hard for IT to even know how many of the VMs on a particular server even have all their patches up to date, Hochmuth says.

Here are some virtualization security questions to consider when making plans for your environment:

1. Is a slow server is safe server?

Just as in physical servers, adding security software adds to the workload, eats resources and lowers performance. Virtualized servers make more efficient use of their resources than physical servers, but that doesn't mean it's obvious where and how to apply security.

"It sounds pretty basic, but there is a lot of disagreement about whether it's better to have agents inside every virtual machine to secure them, or if that's too much of a drain on resources and that having something that can watch a group of VMs is better," Hochmuth says.

Run an agent on each of the 30 VMs in a quad-processing server and you get overhead equal to running 30 copies of the security software -- because that's what you're doing.

The other major alternative -- running one piece of software on the physical server that can observe all the VMs and their operating systems -- is more elegant in concept, but may not be as secure, or may not be all that efficient either.

Hochmuth recommends "a really pragmatic proof of concept" comparing the impact on performance of several vendors' products. Even if the test tells you nothing about how good the security is, "it will tell you which products bog down the particular workloads you're running more than you find acceptable," he says.

2. Should you even let the VMs talk to each other without encryption?

Virtualizing servers means more than just being able to cram several operating systems into one box; it means creating a network inside that box across which the VMs have to communicate with each other, applications running on other servers, and the Internet, according to Matt Sarrell, executive director of security test/analysis firm Sarrell Group.

Much of the drive toward encryption in virtual environments comes from organizations that need to be able to demonstrate a good chain of custody for data under HIPAA or other privacy regulations, according to Sarrell.

That same encryption can help lock the doors on malware that can infect a hypervisor or OS on which a VM runs in a data center, however, keeping the rest of the VMs safe even if one is compromised.

Encrypting data streaming to and from VMs running in either a public or private cloud can also reinforce the doors between your VMs and the neighbors' in public clouds, Hochmuth says.

"Shared-server public clouds are like living in an apartment building, so your security may depend on how safely your neighbors are acting," he says. "Encrypting your VMs and the data can make that situation a little more secure, but again, at a potential risk of a performance hit."

3. Do you know who or what is asking for data?

Security policies linked to MAC or IP addresses don't work well when the entities in question are virtual, according to Gary Chen, research manager for IDC's Enterprise Virtualization Software group.

When apps run on virtual machines the security has to take into account who wants access, what they want to access, when, where and from what device they want access, according to Gartner's MacDonald.

Only in that context can a security policy remain effective rather than firmly locking down a piece of sensitive data except if a new or untrained employee who has secure access at the office decides to download it across an unencrypted WiFi connection to an unsecured laptop.

Virtual machines should be able to enforce the same level of security policy on one another, and on public or private clouds, applying the company's security requirements according to the context in which data is being requested, not what MAC or IP address sent the request, Hochmuth says.

4. Are you scrutinizing the in-between spaces?

Running virtual servers means running an additional operating system -- VMware's vSphere, Citrix' Xenserver or Microsoft's Windows Server 2008 -- that can be attacked by hackers or malware designed to recognize and respond to VMs or hypervisors, Chen says.

Malware can not only spread to virtual machines through their connections to the Internet, it can spread among them once it's infected a VM inside the firewall, or inside a physical server -- especially if the VMs are set up for fail-over or disaster-recovery support that gives them special access to one another, Chen says. Encrypting data or identity-protecting it can rebuild walls between servers to keep data safe, even after virtualization software has torn them down to let them share quarters, data or workloads, Hochmuth says.

NIST's View of the Basics

Just like physical servers, virtual servers have to be patched, configured and maintained according to organizational rules that define levels of security so sloppiness or inconsistency doesn't open a hole that negates the whole effort, according to a guide to virtualization security issued yesterday by the U.S. National Institute of Standards and Technology (NIST).

A summary of its guidelines:

1. Secure the hypervisor just as you would an operating system; if functions like an OS and it's vulnerable like one. Holes in it make everything running on it vulnerable.

2. Establish consistent guidelines to configure security on virtual and physical machines, and a process to verify the guidelines are being followed.

3. Extend patch and vulnerability management processes to cover VMs as well as physical machines.

Follow everything from on Twitter @CIOonline.

Join the CSO newsletter!

Error: Please check your email address.

Tags virtualizationsecurity

More about Citrix Systems Asia PacificetworkGartnerIDC AustraliaMicrosoftRSATechnologyVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kevin Fogarty

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts