Virtualization Security – IT Managers and Security Experts Disagree

A lot of companies are moving towards virtualization, blade servers and sharing hardware components makes sense when you can have multiple logical servers on one physical machine. I’ve used VMWare in a few situations myself but mostly I don’t see a real requirement for using virtual machines (apart from hosting with a VPS).

There have always been debates about the security, it’s harder to segregate as the virtual machines are somehow attached at the system level so if you can break out of the ‘jail’ (into the ‘hypervisor’) you can effectively access everything on that physical server. There is still a lot of skepticism about the security of virtual servers and the big 3 providers (VMWare, Citrix Xen and Microsoft) are apparently working on some new security solutions, but as they haven’t been released yet you better be careful.

Does transitioning to virtualization increase security risks within a company? IT managers appear to be at loggerheads with IT security professionals over that question, even while sharing similar opinions on where risks might lie, according to a new survey.

The 2009 Security Mega Trends Survey from research firm Ponemon Institute — which also looked at attitudes on other topics, such as outsourcing and Web 2.0 technologies — shows roughly two-thirds of IT operations staff who responded said they felt virtualization of computer resources did not increase information-security risks. But about two-thirds of information security professionals surveyed felt the opposite way.

A full three-quarters of the survey’s 1,402 respondents, all active in U.S.-based private sector firms or government agencies, said their organizations had already implemented virtualization of their computer resources, with about 90% in both the IT and security camps saying they were “familiar” or “very familiar” with virtualization

It’s strange to see the opinions are almost polarized and exactly opposite, 2/3s of managers think that virtualization does not increase risk but 2/3s of security pros think that it does. I’d personally have to say it does increase risk, especially at the moment where it’s still quite a new technology and the implementation and security measures are not mature yet.

Stay away from virtualization for extremely data critical operations.

The survey reflects the often upbeat attitudes about virtualization expressed by experienced IT pros about how the technology, most commonly that of VMware, Microsoft of Citrix Xen, is bringing them the benefit of server consolidation.

“We started virtualization in a development and test environment, and now the main applications we have using VMware in production instances are file and print servers,” says Rich Wagner, director of IT infrastructure at Columbus, Ohio-based Hexion Specialty Chemicals. Wagner says virtualization hasn’t raised red flags as far as security requirements. The main concern, he says, is “from a performance standpoint — the CPU and memory and disk I/O — in sharing a large box,” with database servers seen as a resource-intensive application that might not be well-suited for virtualization.

There’s a far more skeptical view of virtualization security often expressed by seasoned IT security pros, who harbor doubts that vendors on the virtualization front have really sorted out or addressed the risks associated with the underlying hypervisor transformation.

I agree it’s definitely best for a testing/staging situation where you can set up multiple different environments concurrently on the same piece of hardware without having to reboot.

It’s great in a development environment too if you need to test a piece of code on multiple operating systems with different specifications.

But as I said above, for CPU intensive activities and for servers that hold critical data I just don’t think it’s a good idea.

Source: Network World

Posted in: Hacking News

Latest Posts:

Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network
OWASP Amass - DNS Enumeration, Attack Surface Mapping & External Asset Discovery OWASP Amass – DNS Enumeration, Attack Surface Mapping & External Asset Discovery
The OWASP Amass Project is a DNS Enumeration, Attack Surface Mapping & External Asset Discovery tool to help information security professionals perform network mapping of attack surfaces.
Cameradar - Hack RTSP Video Surveillance CCTV Cameras Cameradar – Hack RTSP Video Surveillance CCTV Cameras
Cameradar is a Go-based tool to hack RTSP Video Surveillance CCTV Cameras, it can detect open RTSP hosts, detect device models and launch automated attacks.

3 Responses to Virtualization Security – IT Managers and Security Experts Disagree

  1. Rafal Los December 20, 2008 at 5:41 am #

    Here’s the problem – with all these “green” initiatives, virtualization marketing has whipped managers and CIOs into a frenzy. Whether security is better or worse off (I tend to agree that we’re creating more risk) this is the reality we’re going to get stuck with.

    Unfortunately security is always behind the hype & marketing machine… so we have no choice but to figure out how to secure virtualized environments; likely this means a continuing flood of tools and services which companies will be unwilling to pay for.

    Merry Christmas.

  2. Bogwitch December 20, 2008 at 9:31 am #

    Virtualisation has it’s place. As with any any solution, the risk vs. benefit must be calculated.

    It is worth noting that the risks do not just stem from the risk of compromise of the underlying hypervisor, but the risks to availability, with many servers being hosted on the same physical hardware, are also increased.

  3. Pantagruel December 20, 2008 at 11:38 am #

    With Bogwitch

    We used to segregate our services, each on their own server (http/smtp/ftp/etc) so if one get broken into the remaining others would be relatively safe (this ofcourse depends on the type of exploit used to get into server X and the availability of this hole on the remaining servers). Herding your servers onto one big server in the form of virtual might result in the big bad wolf penetrating the fence and finding a nice flock of easy pray.

    Rafal Los has a point ,with ‘green’ pro environmental thinking have found it’s way into the IT world, managers seem quite concerned about trying to cut down power consumption which, according to the vendors mentioned, can be achieved through virtualisation.
    We are currently suffering such a manager being convinced VM will save atleast 30%. The only fun is the server fit to run all virtual environments itself consumes already 10% more when idle. (Our first ‘shepherd’ server which did consume 30% less power quickly ran out of resources resulting in a DoS of the smtp VM)
    Regarding the rising oil prices the manager does have a point, but this adds little to security which should be prime in a 5000+ user environment.