Virtualization Security – IT Managers and Security Experts Disagree

A lot of companies are moving towards virtualization, blade servers and sharing hardware components makes sense when you can have multiple logical servers on one physical machine. I’ve used VMWare in a few situations myself but mostly I don’t see a real requirement for using virtual machines (apart from hosting with a VPS).

There have always been debates about the security, it’s harder to segregate as the virtual machines are somehow attached at the system level so if you can break out of the ‘jail’ (into the ‘hypervisor’) you can effectively access everything on that physical server. There is still a lot of skepticism about the security of virtual servers and the big 3 providers (VMWare, Citrix Xen and Microsoft) are apparently working on some new security solutions, but as they haven’t been released yet you better be careful.

Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute — which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies — shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey’s 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90% in both the IT and security camps saying they were “familiar” or “very familiar” with virtualization

It’s strange to see the opinions are almost polarized and exactly opposite, 2/3s of managers think that virtualization does not increase risk but 2/3s of security pros think that it does. I’d personally have to say it does increase risk, especially at the moment where it’s still quite a new technology and the implementation and security measures are not mature yet.

Stay away from virtualization for extremely data critical operations.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft of Citrix Xen, is bringing them the benefit of server consolidation.

“We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers,” says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn’t raised red flags as far as security requirements. The main concern, he says, is “from a performance standpoint — the CPU and memory and disk I/O — in sharing a large box,” with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There’s a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

I agree it’s definitely best for a testing/staging situation where you can set up multiple different environments concurrently on the same piece of hardware without having to reboot.

It’s great in a development environment too if you need to test a piece of code on multiple operating systems with different specifications.

But as I said above, for CPU intensive activities and for servers that hold critical data I just don’t think it’s a good idea.

Source: Network World

Posted in: Hacking News

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

3 Responses to Virtualization Security – IT Managers and Security Experts Disagree

  1. Rafal Los December 20, 2008 at 5:41 am #

    Here’s the problem – with all these “green” initiatives, virtualization marketing has whipped managers and CIOs into a frenzy. Whether security is better or worse off (I tend to agree that we’re creating more risk) this is the reality we’re going to get stuck with.

    Unfortunately security is always behind the hype & marketing machine… so we have no choice but to figure out how to secure virtualized environments; likely this means a continuing flood of tools and services which companies will be unwilling to pay for.

    Merry Christmas.

  2. Bogwitch December 20, 2008 at 9:31 am #

    Virtualisation has it’s place. As with any any solution, the risk vs. benefit must be calculated.

    It is worth noting that the risks do not just stem from the risk of compromise of the underlying hypervisor, but the risks to availability, with many servers being hosted on the same physical hardware, are also increased.

  3. Pantagruel December 20, 2008 at 11:38 am #

    With Bogwitch

    We used to segregate our services, each on their own server (http/smtp/ftp/etc) so if one get broken into the remaining others would be relatively safe (this ofcourse depends on the type of exploit used to get into server X and the availability of this hole on the remaining servers). Herding your servers onto one big server in the form of virtual might result in the big bad wolf penetrating the fence and finding a nice flock of easy pray.

    Rafal Los has a point ,with ‘green’ pro environmental thinking have found it’s way into the IT world, managers seem quite concerned about trying to cut down power consumption which, according to the vendors mentioned, can be achieved through virtualisation.
    We are currently suffering such a manager being convinced VM will save atleast 30%. The only fun is the server fit to run all virtual environments itself consumes already 10% more when idle. (Our first ‘shepherd’ server which did consume 30% less power quickly ran out of resources resulting in a DoS of the smtp VM)
    Regarding the rising oil prices the manager does have a point, but this adds little to security which should be prime in a 5000+ user environment.