Virtually Speaking: Misplaced Priorities
When planning a virtual deployment, you have a lot to consider: which servers, which workloads, which processes and more. Return on investment and total cost of ownership (TCO) often lead the charge. Security is often an afterthought, and nearly always relegated to the back seat.
This, according to Neil MacDonald, vice president and Gartner fellow, is a big mistake. MacDonald, who emphasized that he is not against virtualization, is firm in his belief that, "security processes and technologies need to be modified for a virtualized environment."
In his presentation "Securing Virtualization: Virtualizing Security," delivered at the Gartner IT Infrastructure, Operations & Management Summit in Kissmmee, Fla. last week, MacDonald said that in the rush to virtualize, enterprises often neglect security in favor of operational gain.
As a result, MacDonald believes, through 2009, 60 percent of virtual machine (VM) deployments in production will be less secure than their physical counterparts.
For some enterprises, the TCO savings is enough to tolerate the risk. Other enterprises believe MacDonald is overcautious. He said some clients whom he advises even get angry when he questions their security approach. In one case, he recommended an enterprise take the money saved virtualizing and pour it into security tools.
Other organizations are relying on VMware, Microsoft and the other virtualization vendors to produce defect-free virtualization software. That's another mistake, MacDonald said, noting, "These are the same people who write the vulnerable software we deal with today."
Security issues are endemic to virtualization. They begin at the architecture level. The hypervisor, which Gartner refers to as part of an abstraction layer, in and of itself, represents a threat that malicious hackers will target.
MacDonald said, "You have 10 workloads and you merge them onto one, that's a very attractive target for a bad guy. Now, if I compromise just one thin layer I get all 10 machines. It's a great deal, if you're a bad guy whether internally or a hacker. And this layer will be targeted."
Meanwhile, "the technology has gotten ahead of the tools vendors have for security and for management," MacDonald said. This is perhaps the most significant issue, as it is one way to easily mitigate the architecture issue as well as the other security issues.
The biggest problem here, MacDonald said, is a lack of tools. Tools and business processes have not yet evolved to the world of virtualization. Offerings from the more experienced security vendors are not particularly suited for virtualized environments.
"Where are Check Point, Cisco and TippingPoint? All the big people in network security are missing in action. Why aren't they inside this virtual network doing network security? It's an oversight, I believe, on the tools' vendors part," he said.
Concern about cannibalization is another possibility for why Cisco, Juniper, Check Point and the other network security vendors have yet to tackle virtualization, MacDonald told ServerWatch.
Third-party tools optimized for virtualization are out there, but the vendors are fairly new to the scene and the security management tools are immature. Vendor's include Blue Lane Technologies, Embotics and Netuitive.
Today, security-conscious enterprises must manually check to ensure each VM is properly configured and patched before moving it around. This, obviously, is not the vision VMware and the other vendors are selling enterprises, and is far from what enterprises are seeking.
So what can an enterprise do to keep its virtual infrastructure secure?
It all starts with hypervisor selection. MacDonald advises considering only a hypervisor-based model the thinner the better. Less code means less room for vulnerabilities.
He, therefore, cautions against security appliances. He also said he "would not run mission-critical workloads on a host-based OS model, a model like VMware Server. There's a reason they give it away free now. It's being commoditized."
Something else to bear in mind is that the hypervisor is a single point of failure, and should it be compromised, everything above it feels the impact. Such a breach would mostly likely also be undetectable, according to MacDonald. Trusted hardware intrusion detection software would remedy this. Such a product, however, is not available at this time.
Security also boils down to human intervention. "Lock down and configure each VM as appropriate to the organization's standard guidelines for the OS being hosted. Most security vulnerabilities occur through human error, misadministration, and mismanagement and VMs will be no exception," MacDonald noted in his presentation.
Take, for example, the separation of duties for administration, which are easily distributed in the physical world. Consolidate 10 servers into one, and "some of the separation of duties from the physical world are lost. Application servers, database servers and more are all lumped together, and you create an all-powerful root-administrator. Whoever has access to the layer of abstraction has access to all of the workloads and can access all of them."
In other words, whomever has access to that privileged layer has the keys to the kingdom: control of the entire IT infrastructure.
This is especially true in the DMZ. This is where the outside world and the inside world converge. Here, a root admin has the capability to turn off settings. Collapse the DMZ and you have the potential for operations people to take over the security control. As a result, the DMZ should never be virtualized, MacDonald told ServerWatch.
Anything I/O constrained is also a bad candidate for virtualization, MacDonald added.
In addition, all policies and firewall configurations from the physical world must transfer over to the VM. A major component of MacDonald's vision of a perfect virtual world is, "a policy management systems where the policies can move seamlessly with the workloads."
In other ways, however, managing the security in a virtualized environment is a lot like managing yet another operating system. Like an OS, the hypervisor must be patched (MacDonald recommends checking Secunia and the other security sites regularly), correctly configured and up to date.
Other concrete recommendations for enterprises MacDonald offered include the following:
- Protect it from a single point of failure in hardware. Cluster or load-balance multiple machines for availability.
- Configure the server so one VM cannot create a shared resource denial of service (DoS) on another VM (e.g., CPU, memory and input/output paths, including network bandwidth).
- Ensure sufficient disk space, especially on critical system volumes (for example, log files or print queues).
- Use machines with redundant hardware capabilities (e.g., power supplies and NICs).
- Restrict physical access to sensitive virtual servers and their management consoles.
Amy Newman is the managing editor of ServerWatch. She has been following the virtualization space since 2001.