There has been a rapid adoption of virtualisation technologies by businesses in recent times in order to decrease costs and improve efficiencies and availability of IT resources as well as conserve energy.
As with all new technologies that become prolific throughout the IT industry in a short space of time, there is uncertainty around the security concerns of virtualised environments. In most cases, deployment of virtualisation is considered more important than taking appropriate security measures, which can prove to be a risky move in the long term.
There seems to be a lack of consensus within the IT industry whether virtualised environments are fundamentally no less secure than physical ones, and that virtualisation can actually enable better security. The bottom line, however, is that virtualisation platforms are software and all software can have flaws. It is how we thoroughly plan and introduce proper policies and IT strategies to secure these platforms that will eventually mitigate the risk of attacks.
Virtualisation makes it easy to build and deploy new releases and put changes into production. Service providers have also used virtualisation to respond to customer demands and provide capabilities such as instant provisioning, as well as the ability to offer the isolation and manageability of dedicated hosting without reserving expensive hardware for each customer. Today, these capabilities are prerequisites to achieving the elasticity and flexibility of private and public clouds.
The ‘Big’ question of what’s in it for me?
Virtualised platforms have the potential to significantly lower IT costs by moving to a virtualised infrastructure. According to a CIO Research Survey, the top five reasons customers move to virtual servers for their applications are:
- To cut costs via server consolidation (81 per cent)
- To improve disaster recovery (DR) and backup plans (63 per cent)
- To provision computing resources to end users more quickly (55 per cent)
- To offer more flexibility to the business (53 per cent)
- To provide competitive advantage (13 per cent)
New security challenges in the new world
The adoption of virtualisation raises the question - will security be harder or easier now? According to a report conducted by Applied Research, some 2,100 of the top IT and security managers in 27 countries were surveyed about their opinions regarding this question with inconclusive results.
The report showed that one-third of the group thought virtualisation and cloud computing made security “harder,” while one-third said it was “more or less the same” with the remainder saying it was “easier.”
The results seem to indicate that many security experts are either in the process of defining policy for virtual environments, or have chosen to postpone that effort until a later date.
Perhaps, as a result of this failure to tackle the security question when deploying virtualised servers, there are experts who believe that the majority of virtual deployments may be less secure than physical deployments.
Neal MacDonald of Gartner Group has estimated that “60 per cent of virtualised servers will be less secure than the physical servers they replace.” According to MacDonald some of the most common security risks for data centre virtualisation include:
- Information security isn’t initially considered in virtualisation projects.
- A compromise of the virtualisation layer could result in the compromise of all hosted workloads.
- Workloads of different trust levels are consolidated onto a single physical server without sufficient separation. Adequate controls on administrative access to the hypervisor (Virtual Machine Monitor) layer and to administrative tools are lacking.
- There is a potential loss of Separation of Duties (SOD) for network and security controls.
Traditionally, network security has been designed as a “one server, one application’ model with physical networking in mind. Firewalls and UTM appliances leverage the network designs based on the fundamental notions of:
- Perimeter enforcement – protecting the “inside” from the “outside” – with network architectures that are built on this separation.
- All traffic flows over physical networks, so security can be implemented by interposing physical devices on the wire.
- Network architectures blur the “perimeter” with private resources spanning locations in arrangements leveraging VPNs.
- An all-or-nothing, inside-vs-outside approach does not take into account the need to protect information, regardless of location.
- Multiple organisations and applications within a business, and multiple businesses hosted by a service provider, can be on the same side of a physical perimeter thereby complicating matters.
- Compliance and privacy requirements make it necessary to offer security and auditability between entities within the same virtual infrastructure.
- Mobile users can easily bring malware into a shared infrastructure.
- For service providers, the ability to offer full protection is even more critical when multiple customers are hosted on the same server farm – or even on the same server.
- Physical appliances cannot offer in-line protection in a dynamic virtual infrastructure.
- High-availability and live motion capabilities can mean that applications do not always run on the same physical servers.
- Traffic can pass over virtual-only networks within a server, making it impossible to interpose a physical device.
What are the possible solutions?
Virtualised environments can be secured by proper planning, configuration management programs and IT strategies that define policies and guidelines and follow best practices in administrative access and patch management of both Guest and Host.
It is also important to secure all elements of a full virtualisation solution in order to maintain security. This ranges from securing the hypervisor and guest OS, as well as storage and applications. In other words, virtualised operating systems should have the same security measures as operating systems running on hardware.
In summary, an increased reliance on virtualisation has reawakened the need for virtual security. After all, unprotected virtual machines make bad neighbours. In particular, as with other new technologies, as virtualisation matures and usage increases among smaller companies, organisations may not fully understand the potential security ramifications of poorly implemented virtual environments. The lack of security know-how and increased reliance on virtualisation leads to the increased risk of data loss and such issues must be addressed when considering deployment of virtualisation within an organisation.
Scott Robertson is the VP Asia Pacific of WatchGuard Technologies