Questions on Virtualization Security You Want Answered.
While virtualization may not be a new topic, it’s still a hot topic. And what’s been heating up more and more is talk about virtualization security.
When it comes to the concepts and solutions around protecting virtual and cloud environments, people have a lot of questions. In the past month, I’ve traveled to trade shows, participated in Webinars, and spoken to a lot of data center administrators to learn what’s top of mind for them with regards to virtualization security. Here’s a sampling of what I’ve been asked.
Does virtualization introduce any unique security issues to IT environments?
Yes. The two biggest issues virtualization introduces are: 1) the high degree of misconfiguration and errors based around the fact that changes are made so frequently to virtual machines (VMs); and 2) the mixed-mode use of VM hosts (e.g., where high-value VMs are on the same host as Web servers and Internet-connected servers), which triggers the need for proper VM isolation.
Have many security issues or violation trends occurred in virtual environments?
To date, there have been few publicly known attacks on virtualized systems and clouds, with the exception of two notable attacks: 1) the Conficker computer worm attack and 2) the Zeus botnet found on Amazon’s EC2 sometime ago.
As with physical environments, the best way to avoid issues in the virtual world is to know of any risks and be prepared to avoid them. (For more information this, read: http://www.securityweek.com/cloud-security-offense-dont-recover-attacks-avoid-them)
Who should manage the virtual firewall policies?
Generally, management is a shared responsibility. The security administrators define the policies and the virtualization infrastructure administrators refine them, as the latter have more context and expertise on the use and necessary isolation requirements of the VMs.
How is PCI compliance more challenging in virtualized environments?
Among other requirements, PCI DSS states that in-scope servers must be confined to a single use and application. A physical PCI server can be in compliance by putting it in front of a physical firewall that enforces a block on all traffic except for the allowed application rule. In-scope VMs are a bit more difficult to moat off because they are implemented as software inside a VM host. The only pragmatic way to properly isolate them to a single function—without impacting virtualization ROI—is to have a firewall inside that environment. Or, in other words, a hypervisor-based purpose-built virtualization firewall that can be used to limit access by protocol, inspect for malware, and scan for unwanted installed services, applications, and settings.
What are the major differences between virtual firewall offerings on the market today?
When looking for a virtual firewall vendor, the best questions you can ask are:
1. Is it hypervisor-based or a virtual appliance?
2. Is it fastpath or slowpath?
3. Is it VMsafe certified?
4. What is the TCO (as some products have “hidden” costs such as requiring VMware enterprise software licenses, additional hardware, etc.)?
Where can I find more resources on the subject?
While by no means an exhaustive list the following is rich sources of virtualization security information.
Gartner — For getting the latest information on market trends, especially for cloud and virtualizaton security, we think Neil MacDonald’s blog is a must read. As a Gartner fellow with 25 years in IT, Neil’s quotes on the space are ubiquitous as are his insights on virtualization security innovations and their importance to customers.
VMware — This is an obvious destination for all things virtualization, but we urge you to also bookmark the security resource center which is replete with all sorts of recommendations and guidance. The latest ones to catch our eye are the recently released vSphere 4.0 hardening guide and the FAQ on the benefits of using VMsafe (new with vSphere).
PCI v2.0 — Whether you deal in credit card information or not, the PCI Data Security Standard is one of the most prescriptive and concise among compliance regulations such as SOX, HIPAA, GLBA, FISMA, etc. And while no regulations currently deal explicitly with virtualization and cloud security, the PCI Security Standards Council (SSC) is taking the lead on this front and their work is likely to be a reference point for other standards.
Virtualization Practice — this one might be a surprise, but the folks at this small analyst firm do a great job of synthesizing news, helpful links, vendor insights and industry happenings in their packed site. It’s especially helpful if you’re doing research on a topic, say VM Introspection, or an angle where you’re bound to find a blog post and some helpful outbound links.