virtualizationisn’t easy, and security issues, which make a complex process harder,
are all too often ignored in the haste to deploy this technology.
Enterprises should consider the security implications that come with adopting virtualization before deploying.
To those planning virtualization deployments now, Steve Orrin, director of security
solutions at Intel, had a simple and useful piece of advice. “Don’t go after the
high-value, mission-critical stuff first. Start with something valuable that’s worth the
investment but not something so critical that it’s a serious issue if it goes down.”
“With any new infrastructure, there will be mistakes and challenges,” he added. “Learn and then apply that learning to high-value systems.”
ISACA International Conference next week, Orrin will give a talk called “From
Virtualization vs. Security to Virtualization-based Security” whose theme will be that
security should be able to help virtualization deployments and not obstruct them.
Save cash but don’t cut corners
If security is often an afterthought in these deployments, that may be because the
goal is all too often purely cost savings, as opposed to taking advantage of the
increased agility that virtualization offers, according to Orrin.
“Managers need to try to understand what virtualization means to them,” he said.
“There are security issues — and there are operational issues that are just as hard as the security issues — that crop up when you move out of the world where every server has one application.”
The elements of security become more complex when applications are moving from server
to server, changing the resources they use and even their location. “You need different
levels of security for different virtual machines (VMs). People went from 20 boxes to one big box, and now mission-critical applications are running on the same machine as
experimental apps and little IT and HR apps. How can one security policy cover them
But most deployments are even more complex than that. “In most organizations, it’s not
20:1 consolidation and that’s it,” he said. “Organizations have multiple datacenters in
multiple geographies and managers also want to consolidate datacenters.”
No one security policy
The solution, Orrin said, is to have a security policy that delineates many levels of
security (perhaps high, medium, and low) and to implement virtualization gradually.
If it’s done well, there can be compliance benefits. “I’ve seen examples where people
find it easier to apply security controls and represent them to auditors,” Orrin
But it’s not easy to do it well. There’s a new software layer, the hypervisor, plus a
VM manager (VMM) to secure. Virtualization technology can help.
“VMsafe and ‘similar tools in Xen’ allow you to leverage the VMM so that one VM can do anti-virus for the other VMs. The goal is taking your existing security mechanism and
making it virtualization-aware,” Orrin said.
Making antivirus virtualization-aware is one thing; making a firewall
virtualization-aware is tougher. “A firewall in the cloud cannot run the same level of
protection, especially if the hypervisor runs some communications between VMs,” Orrin
“In response, some people redirect all network traffic out to the network ‘instead of
allowing VMs to route packets directly to each other’,” Orrin added. “Some vendors like
Cisco and Juniper want you to do that but then you’re not taking advantage of the
efficiencies that virtualization can deliver. Virtual appliances (from an efficiency
perspective) make a lot of sense but if you talk to the people who have built it out,
there are limitations even there.”
Can mainframes simplify virtualization? “The mainframe is the ancestor of all
virtualization,” Orrin said. “IBM likes to talk about it, but if you have Linux or Unix
side by side with a mainframe, the mainframe has its own facilities for access control
and process isolation and it breaks down when you try to mix the mainframe with a
client-server architecture and VMware.”
Orrin claimed to like the idea of mainframes. “I’m a mainframe advocate. I’ve seen the
beauty and power of the mainframe,” he said. “That said, it’s not a Windows or a Unix
He added that in a rare case where all of an enterprise’s mission critical software
resided on a mainframe, it could be a valuable part of a virtualization deployment.
Another key security issue that is unique to virtualization, Orrin noted, is that in
many virtualization deployments, the templates of commonly-used VMs are stored and then
copied and provisioned as necessary.
“People spin up VMs based on one gold copy. If someone manages to attack the gold
copy, they can cause damage to the system based on every instance. Security software
looks at what’s running but gold copies aren’t running, so you need to be able to
investigate them. A VM at rest is just a large ISO
He added that companies make products to provide the necessary security. “They offer
change control and management and attestation of a VM before provisioning. During
migration, a VM can be attacked on the wire. There are even examples of attacks on a VM
that’s in transit between two servers. The attack changes the security bits in transit.
So to protect VM integrity, they make sure that the VM that’s being provisioned is the
original, that it has not been altered.”
“The good news is that there are tools and technologies to solve the problems,” Orrin
concluded. “IT just needs to apply the appropriate tool.”
Article courtesy of InternetNews.com