Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

The Questions You Want Answered about Virtualization Security

Questions on Virtualization Security You Want Answered.

While virtualization may not be a new topic, it’s still a hot topic. And what’s been heating up more and more is talk about virtualization security.

Questions on Virtualization Security You Want Answered.

While virtualization may not be a new topic, it’s still a hot topic. And what’s been heating up more and more is talk about virtualization security.

Questions to ask about Virtual SecurityWhen it comes to the concepts and solutions around protecting virtual and cloud environments, people have a lot of questions. In the past month, I’ve traveled to trade shows, participated in Webinars, and spoken to a lot of data center administrators to learn what’s top of mind for them with regards to virtualization security. Here’s a sampling of what I’ve been asked.

Does virtualization introduce any unique security issues to IT environments?

Yes. The two biggest issues virtualization introduces are: 1) the high degree of misconfiguration and errors based around the fact that changes are made so frequently to virtual machines (VMs); and 2) the mixed-mode use of VM hosts (e.g., where high-value VMs are on the same host as Web servers and Internet-connected servers), which triggers the need for proper VM isolation.

Have many security issues or violation trends occurred in virtual environments?

To date, there have been few publicly known attacks on virtualized systems and clouds, with the exception of two notable attacks: 1) the Conficker computer worm attack and 2) the Zeus botnet found on Amazon’s EC2 sometime ago.

As with physical environments, the best way to avoid issues in the virtual world is to know of any risks and be prepared to avoid them. (For more information this, read:

Advertisement. Scroll to continue reading.

Who should manage the virtual firewall policies?

Generally, management is a shared responsibility. The security administrators define the policies and the virtualization infrastructure administrators refine them, as the latter have more context and expertise on the use and necessary isolation requirements of the VMs.

How is PCI compliance more challenging in virtualized environments?

Among other requirements, PCI DSS states that in-scope servers must be confined to a single use and application. A physical PCI server can be in compliance by putting it in front of a physical firewall that enforces a block on all traffic except for the allowed application rule. In-scope VMs are a bit more difficult to moat off because they are implemented as software inside a VM host. The only pragmatic way to properly isolate them to a single function—without impacting virtualization ROI—is to have a firewall inside that environment. Or, in other words, a hypervisor-based purpose-built virtualization firewall that can be used to limit access by protocol, inspect for malware, and scan for unwanted installed services, applications, and settings.

What are the major differences between virtual firewall offerings on the market today?

When looking for a virtual firewall vendor, the best questions you can ask are:

1. Is it hypervisor-based or a virtual appliance?

2. Is it fastpath or slowpath?

3. Is it VMsafe certified?

4. What is the TCO (as some products have “hidden” costs such as requiring VMware enterprise software licenses, additional hardware, etc.)?

Where can I find more resources on the subject?

While by no means an exhaustive list the following is rich sources of virtualization security information.

Gartner — For getting the latest information on market trends, especially for cloud and virtualizaton security, we think Neil MacDonald’s blog is a must read. As a Gartner fellow with 25 years in IT, Neil’s quotes on the space are ubiquitous as are his insights on virtualization security innovations and their importance to customers.

VMware — This is an obvious destination for all things virtualization, but we urge you to also bookmark the security resource center which is replete with all sorts of recommendations and guidance. The latest ones to catch our eye are the recently released vSphere 4.0 hardening guide and the FAQ on the benefits of using VMsafe (new with vSphere).

PCI v2.0 — Whether you deal in credit card information or not, the PCI Data Security Standard is one of the most prescriptive and concise among compliance regulations such as SOX, HIPAA, GLBA, FISMA, etc. And while no regulations currently deal explicitly with virtualization and cloud security, the PCI Security Standards Council (SSC) is taking the lead on this front and their work is likely to be a reference point for other standards.

Virtualization Practice — this one might be a surprise, but the folks at this small analyst firm do a great job of synthesizing news, helpful links, vendor insights and industry happenings in their packed site. It’s especially helpful if you’re doing research on a topic, say VM Introspection, or an angle where you’re bound to find a blog post and some helpful outbound links.

Read More in SecurityWeek’s Cloud and Virtualization Security Section

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...