19 December 2008 | 3,862 views

Virtualization Security – IT Managers and Security Experts Disagree

Check Your Web Security with Acunetix

A lot of companies are moving towards virtualization, blade servers and sharing hardware components makes sense when you can have multiple logical servers on one physical machine. I’ve used VMWare in a few situations myself but mostly I don’t see a real requirement for using virtual machines (apart from hosting with a VPS).

There have always been debates about the security, it’s harder to segregate as the virtual machines are somehow attached at the system level so if you can break out of the ‘jail’ (into the ‘hypervisor’) you can effectively access everything on that physical server. There is still a lot of skepticism about the security of virtual servers and the big 3 providers (VMWare, Citrix Xen and Microsoft) are apparently working on some new security solutions, but as they haven’t been released yet you better be careful.

Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute — which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies — shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey’s 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90% in both the IT and security camps saying they were “familiar” or “very familiar” with virtualization

It’s strange to see the opinions are almost polarized and exactly opposite, 2/3s of managers think that virtualization does not increase risk but 2/3s of security pros think that it does. I’d personally have to say it does increase risk, especially at the moment where it’s still quite a new technology and the implementation and security measures are not mature yet.

Stay away from virtualization for extremely data critical operations.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft of Citrix Xen, is bringing them the benefit of server consolidation.

“We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers,” says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn’t raised red flags as far as security requirements. The main concern, he says, is “from a performance standpoint — the CPU and memory and disk I/O — in sharing a large box,” with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There’s a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

I agree it’s definitely best for a testing/staging situation where you can set up multiple different environments concurrently on the same piece of hardware without having to reboot.

It’s great in a development environment too if you need to test a piece of code on multiple operating systems with different specifications.

But as I said above, for CPU intensive activities and for servers that hold critical data I just don’t think it’s a good idea.

Source: Network World



Recent in General News:
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords
- More Cyberterrorism – Taiwan Political Party Accuses China of Hacking

Related Posts:
- IT Managers Under-Estimate Impact Of Data Loss
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks
- TJX Employee Fired for Trying to Fix Things

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,068 views
- eEye Launches 0-Day Exploit Tracker - 85,056 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,464 views

Advertise on Darknet

3 Responses to “Virtualization Security – IT Managers and Security Experts Disagree”

  1. Rafal Los 20 December 2008 at 5:41 am Permalink

    Here’s the problem – with all these “green” initiatives, virtualization marketing has whipped managers and CIOs into a frenzy. Whether security is better or worse off (I tend to agree that we’re creating more risk) this is the reality we’re going to get stuck with.

    Unfortunately security is always behind the hype & marketing machine… so we have no choice but to figure out how to secure virtualized environments; likely this means a continuing flood of tools and services which companies will be unwilling to pay for.

    Merry Christmas.

  2. Bogwitch 20 December 2008 at 9:31 am Permalink

    Virtualisation has it’s place. As with any any solution, the risk vs. benefit must be calculated.

    It is worth noting that the risks do not just stem from the risk of compromise of the underlying hypervisor, but the risks to availability, with many servers being hosted on the same physical hardware, are also increased.

  3. Pantagruel 20 December 2008 at 11:38 am Permalink

    With Bogwitch

    We used to segregate our services, each on their own server (http/smtp/ftp/etc) so if one get broken into the remaining others would be relatively safe (this ofcourse depends on the type of exploit used to get into server X and the availability of this hole on the remaining servers). Herding your servers onto one big server in the form of virtual might result in the big bad wolf penetrating the fence and finding a nice flock of easy pray.

    Rafal Los has a point ,with ‘green’ pro environmental thinking have found it’s way into the IT world, managers seem quite concerned about trying to cut down power consumption which, according to the vendors mentioned, can be achieved through virtualisation.
    We are currently suffering such a manager being convinced VM will save atleast 30%. The only fun is the server fit to run all virtual environments itself consumes already 10% more when idle. (Our first ‘shepherd’ server which did consume 30% less power quickly ran out of resources resulting in a DoS of the smtp VM)
    Regarding the rising oil prices the manager does have a point, but this adds little to security which should be prime in a 5000+ user environment.