The Impact of Virtual Environments on Risk

Burton Group’s Pete Lindstrom lays down the law for protecting virtual infrastructures.

The Impact of Virtual Environments on Risk

Although the benefits of a virtual environment are clear, they are not always realized in every architected environment. The reality is that these various characteristics will be mixed and matched with other IT resources. Given that probable outcome, it is useful to review risk principles and apply them to a virtual environment. Burton Group defines risk as a function of threats, vulnerabilities and consequences such that an increase in any of these three elements increases overall risk.

At this stage of virtualization maturation, the likelihood that malicious attackers will target virtual environments is relatively low. That said, as more people get trained for and learn about virtualization, attackers are bound to follow. Given the adoption rate of virtualization technology, it is reasonable to assume this threat is accelerating quickly.

The vulnerability of a system is a measure of its attack surface—the nature and extent of resources on a system that are exposed. Of course, that if isolation mechanisms like firewalls or operating system access controls fail, the attack surface balloons to comprise the entire machine. The pertinent questions, then, are whether the attack surface of a system or of an enterprise IT environment as a whole increases or decreases through virtualization.

Attack surface increases with the availability of services on any IT resource. This means that the addition of a system to an enterprise environment increases attack surface, and at a more granular level, the starting of services, opening of TCP/UDP ports, and registering of remote procedure call (RPC) endpoints increases the attack surface as well. If more resources are consumed, more risk is incurred.

Most virtual environments aim to make the virtualization transparent throughout the environment. However, something new is “behind the scenes” of the systems in place—the hypervisor and virtual machine monitor. The addition of the hypervisor resource increases risk just like any other additional service does.

If everything else remains constant, the vulnerability component of risk is increased in virtual environments. Everything else does not need to remain constant, however. To whatever extent other resources can be reduced, eliminated, or isolated so that they are no longer part of the attack surface, these actions will offset the increased attack surface and reduce overall vulnerability.

The final component of risk is the impact or consequences of a successful attack. In most IT environments, the value of information assets is increasing as organizations work to squeeze out more benefits from systems. As these functions take on more mission-critical capabilities, associated losses are increased as well.

But consequences are not necessarily correlated with an increased attack surface. Given the increased flexibility of virtual systems, one of the benefits is the ability to create purpose-built appliances to support various functions. If functions that were previously combined are separated, then it is clear that the consequences may be reduced using virtual machines, which also reduces risk.

Path to Virtualization SecuritySecurity teams should take a number of steps to ensure improved protection of virtual environments, including:

• Use all existing security mechanisms: Since one of the primary goals of virtualization is transparency, all current host-based solutions should operate in exactly the same way with limited need for modifications. Existing solutions may not be optimal, but they’ll provide reasonable security.
• Get your administrative act together: The dynamic nature of the virtual machine lifecycle and the potential for virtual machine sprawl hint at an even more difficult asset-management environment in the virtual world. It is prudent to ensure that administrative procedures are ready for identifying and tracking virtual machines throughout the environment.
• Look for ways to move security out of the virtual machine: Enterprises reduce or eradicate agents from virtual machines and create separate process spaces for user activities and security functions.
• Manage virtual machines like files and systems: The portability of virtual machines makes them vulnerable to file-style attacks, and therefore they must be protected in a similar fashion. The goal of file-oriented management is recognizing the file objects and providing cryptographic and access control protection for them.
• Encrypt network traffic where possible: Encrypted communications provides some protection against local sniffing threats that may come from other virtual machines or the hypervisor.
• Practice segregation of functions: Since multiple virtual machines can be run on the same machine, it may be possible to create separate compartments for security components. Strong candidates for segregation include logging events externally, maintaining separate keys for encryption, and separating policy and configuration from the image.

Virtualized environments are poised to provide significant operational benefits to enterprises, but they are not without their risks. The introduction of a new layer of software—in the form of the hypervisor—and the new architectures that provide the benefits must be evaluated from a security perspective to understand the risk and the security impact.

Pete Lindstrom is a senior analyst at Burton Group specializing in security metrics, risk management, Web 2.0/SOA/Web services security, and securing new technologies.