Rules of the GameBy Baselinemag | Posted 2008-04-30 Email Print
Virtualization technology can deliver cost savings and improve IT performance, but it also introduces new security concerns. In this summary of a Burton Group report, security expert Pete Lindstrom examines the security considerations unique to virtualized IT environments.
Rules of the Game
There are five immutable laws of virtualization security. It’s essential to understand them and use them to drive security decisions. They are:
1. Attacking a virtual combination of operating systems and applications is exactly the same as attacking the physical system it replicates.
The beauty of a virtual machine is that it acts just like a physical system. However, in most environments, that means it can be attacked in the same way. Any data on the VM can be stolen, and if the VM has network access, it can be used as a stepping-stone to attack other systems.
2. A virtual machine poses a higher security risk than an identically configured physical system running the same operating system and applications.
This corollary to the first law accounts for the additional vulnerability of a virtual system’s controlling software, the hypervisor. Because the hypervisor monitors and responds to a VM, it is susceptible to attack. So it’s important to recognize the risks inherent in the virtual environment and to offset them in other ways.
3. Virtual machines can be made more secure than similar physical systems when they separate functionality and content.
When two processes share the same memory space, an attack against one process can impact the other. One way to benefit from virtualization is to separate functions and data into isolated operating environments. Such segregation helps reduce the risk added by the virtualization software that’s part of the second law.
4. A set of virtual machines aggregated on the same physical system can only be made more secure than separate physical systems by modifying the VM’s configurations to offset hypervisor risk.
While separating resources reduces risk, combining resources will initially increase risk (see #2). At this level of aggregation, VMs must be reconfigured to attain the same level of risk achieved through the third law. Turning off services, adding controls and separating content can help reduce overall risk.
5. A system containing a trusted virtual machine on an untrusted host poses a greater risk than a system containing a trusted host with an untrusted VM.
Attacks at lower levels pose greater risks than those at higher levels, because higher-level programs can be tricked into believing assertions about trust and authenticity. It is important for deployments of trusted VMs in untrusted environments to consider the implications and harden the VM image accordingly.