ComplianceTutorial.com - Common virtualisation security risks and mitigation advice

1. Risks being ignored [Edit]

According to Gartner, 60 percent of virtualised servers will be less secure than the physical servers they replace by the end of 2012, Gartner expects this figure to fall to 30 percent by the end of 2015.

Gartner also note that at the end of 2009, 18 percent of enterprise data center workloads that could be virtualised had been virtualised; the number is expected to grow to more than 50 percent by the close of 2012. As more is virtualised, and different trust levels are combined and as virtualised workloads become more mobile, the security issues associated with virtualisation become more critical to address

2. Risk 1: Information Security Isn't Initially Involved in the Virtualisation Projects [Edit]

Why is this? its a security basic to involve security in new project work. People who do that don’t have security – and wont have compliance to any of the ICT standards. Perhaps the project (virtualisation) is so important to them they don’t want security in the way! Survey data from Gartner in 2009 indicated that about 40 percent of virtualisation deployment projects were undertaken without involving the information security team in the initial architecture and planning stages ignoring new hypervisor and virtual machine monitor security analysis requirements.

3. Risk 2: A Compromise of the Virtualisation Layer Could Result in the Compromise of All Hosted Workloads [Edit]

It is an acknowledged security truism that if a hacker has physical access to a machine then with enough time and resources they will break its security - and attackers can 'physically' access virtual machines from anywhere in the network. The virtualisation layer will contain embedded and yet-to-be-discovered vulnerabilities that may be exploitable. From an IT security management viewpoint, this layer must be patched, and with real-time scaling and transience, with new virtual machines added, moved and deleted at a rapid pace, combined with reduced visibility into the virtual infrastructure, virtual IT configuration and security is much different from physical ICT. The recommendation is that organizations treat this layer as the most critical x86 platform in the enterprise data centre and keep it as thin as possible, while hardening the configuration to unauthorized changes. Virtualisation vendors should be required to support measurement of the hypervisor/VMM layer on boot-up to ensure it has not been compromised. Above all, organizations should not rely on host-based security controls to detect a compromise or protect anything running below it.

4. Risk 3: The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms [Edit]

For efficiency in communications between virtual machines (VMs), most virtualisation platforms include the ability to create software-based virtual networks and switches inside of the physical host to enable VMs to communicate directly. This traffic will not be visible to network-based security protection devices, such as network-based intrusion prevention systems. At a minimum, organizations require the same type of monitoring they place on physical networks, so that they don't lose visibility and control when workloads and networks are virtualised.

5. Risk 4: Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation [Edit]

As Virtualisation becomes more mainstream, more critical systems and sensitive workloads are being targeted for virtualisation. This can become an issue when these workloads are combined with other workloads from different trust zones on the same physical server without adequate separation. At a minimum, enterprises should require the same type of separation required in physical networks today for workloads of different trust levels within the enterprise data centre. They should treat hosted virtual desktop workloads as untrusted, and strongly isolate them from the rest of the physical data centre. This means the employment of audit and monitoring tools for data paths used for virtual machine mobility and following virtual machines as they migrate across resource pools and virtualised storages including SAN or NAS storage networks.

6. Risk 5: Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking [Edit]

Administrative access to the hypervisor/VMM layer must be controlled, but this is complicated by the fact that most virtualisation platforms provide multiple paths of administration for this layer. Access should be restricted to the virtualisation layer as with any sensitive OS . There should be a mature provisioning and change management process. Good examples are ITiL and ISO 27001/5. Virtual ICT is meant to be highly automated and this requires highly automated configuration and change management tools. These technologies can detect variance from a secure baseline and enforce change management workflows, integrating configuration and change management along with data protection and access controls and policy-based protection against accidental or intentional misconfiguration.

7. Risk 6: There Is a Potential Loss of Separation of Duties for Network and Security Controls [Edit]

When physical servers are collapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels. Another area of concern is which group configures and supports the internal virtual switch. The same team responsible for the configuration of network topology (including virtual LANs) in the physical environment should be responsible for this in virtual environments. They should favour virtualisation platform architectures that support replaceable switch code, so that the same console and policies span physical and virtual configurations. Role-based administration and separation of duties are standard operating procedure in physical IT. Organizations must create processes and deploy tools that enforce dual controls for critical tasks in virtual ICT.