Securing virtualization in real world environments

Download Securing virtualization in real world environments

Post on 19-Jan-2015




8 download

Embed Size (px)




  • 1. IBM Software January 2011Thought Leadership White PaperSecuring virtualization inreal-world environments

2. 2Securing virtualization in real-world environmentsContentsHowever, the key to successful virtualization is providing bene-ts like energy efficiency and performance without compromis-2 Introductioning security. Organizations typically struggle to stay ahead of3 Virtualization: Enjoy the ride, but dont forget to buckle up todays threats while also addressing various regulatory-basedcompliance standards. Adding new technologies such as5 Security implications of virtualization virtualization exacerbates this problem, making it essentialfor organizations to identify and address the new security gaps7 Securing virtualizationthat are introduced by virtualized environments.8 Virtualization security solutions from IBMFor example, in a physical server environment, if someone com-11 Summarypromises the security of one server, most organizations have thesecurity tools in place to address and contain that breach. But12 For more informationin a virtual server environment, where a single physical servercan be running multiple applications from different resources, aIntroductionbreach of one virtual server can potentially be a breach acrossIT organizations are under increasing pressure to deliver morea multitude of virtualized servers. And traditional security toolsfunctionality faster and with smaller budgets. Increasing costs cant help, because they werent designed to address virtualiza-attributed to power and cooling of servers, coupled with thetion. Its only a matter of time before a tremendous securityheadache of managing an expanding number of servers, makesbreach associated with server virtualization makes headlines.this a serious challenge requiring new advancements within thedata center.Given the potential for catastrophe, organizations must act now.The rst step is to take the time to understand how to properlyAt the heart of many data center transformations is virtualiza- integrate, deploy and manage security in virtualized environ-tion. Through its ability to consolidate workloads and reduce the ments. Without a baseline plan or a real understanding of virtu-amount of time and energy IT spends purchasing, installing andalization and security, IT groups may decide to disable manymaintaining racks of servers, virtualization allows the organiza- of the advanced features of virtualization for fear of unintendedtion to satisfy its goals with fewer physical resources and reduced consequences, or even worse, they might introduce more riskoperational costs. Early adopters of virtualization are alsointo the process.attaining additional returns on their investment throughsimplied systems management, automation and optimizedserver utilization. In short, both the expectations and benetsare very real. 3. IBM Software 3This white paper examines many of the security concerns associ- However, in addition to providing these benets, virtualizationated with virtualization and helps you understand and prioritizesignicantly impacts security. As data centers evolve into sharedthese risks, as well as describing the IBM security solutions and dynamic infrastructures, security concerns increase. Thethat can help you secure virtual environments and position your industry has already expressed anxiety over physical-to-virtualorganization to reap the full rewards of this exciting technology.migrations, security of the virtualization management stack, andvisibility into the virtual network. As virtual data centers becomeVirtualization: Enjoy the ride, but dont more complex, additional concerns around workload isolation,forget to buckle up multi-tenancy, mobility, virtual machine sprawl and trust rela-Virtualization has tremendous appeal for a variety of reasons.tionships are gaining visibility. Negatively impacting the overallMost notably, organizations are successfully reducing capital and security posture and increasing risk are never the intentions ofoperating expenses through server consolidation. By breakingIT groups deploying virtualization, but that potential readilydown silos of physical resources, organizations can center management and reduce server sprawl.Concerns over risk have the potential to limit the benets anWhile reducing data center costs has become the primary suc-organization will realize from virtualization. For example, manycess metric for organizations, investments in server virtualization companies have seen no change in the number of resourcesalso come with greater expectations. Organizations have addi- needed to manage virtual environments (see Figure 1). This istional goals of increased availability, automation and exibility likely the result of organizations not enabling automationthat are possible only with virtualization. Realizing these goals capabilities such as dynamic resource allocation and a critical step towards greater levels of service management Additionally, adopters of virtualization may not be changingthrough virtualization, including advanced IT service deliveryand ultimately improvingthe efficiency of server provisioningand strong business alignment. It also helps break the lock processes for fear of introducing risk or of moving out of com-between IT resources and business servicesfreeing you to pliance with security policies. Until these organizations enableexploit highly optimized systems and networks to furthermore advanced virtualization features, they will not realizeimprove efficiency. the enhanced manageability and availability benets thatvirtualization brings. 4. 4 Securing virtualization in real-world environments The security challenges of virtualizationTraditional threats Traditional threats can attackNew threats to VMVMs just like real systemsenvironments Virtual server sprawlAPPLICATIONS Dynamic state VIRTUAL Dynamic relocationManagementvulnerabilitiesMACHINEOPERATINGSecure storage of VMs SYSTEMand the managementdata MANAGEMENTResource sharingRequires new Single point of failureskill sets VMM OR HYPERVISOR Loss of visibilityInsider threatHARDWARE Stealth rootkits MORE COMPONENTS = MORE EXPOSUREFigure 1: The unique security challenges of virtualized infrastructures generate new risks for IT organizations, and the risk increases with the number ofcomponents involved. 5. IBM Software 5On the other hand, many early adopters have rushed to take controls, strengthen the platform and increase awareness ofadvantage of these technologies, often without fully understand- potential security implications, organizations will be able to real-ing the security concerns. For example, server consolidation ize more benets without adding new risk.increases overall efficiency, but also complicates matters byintroducing a new architecture with various technical andBefore we examine the solutions offered for virtualizationorganizational complexities. Both IT and security professionalssecurity, lets take an in-depth look at the major concerns.must adapt as consolidation forces change. Security implications of virtualizationAs network and server administration begin to converge, physi- Some characteristics and attributes of virtualization have inad-cal security devices and other security tools become less effective. vertent yet inuential consequences on information security.Even the most basic features of virtualization greatly impact thePhysical servers and other computer resources are heavilyday-to-day security responsibilities and processes used to achieve shared, barriers between virtual machines are logical, andand maintain compliance. workloads can move around the data centeren route to new servers or geographic locations in real time.Perhaps a lesson can be learned from the automobile industry inthat safety and security increase with maturity. The rst modern Understandably, people, processes and technology must adapt.automobiles were available in the late 19th century, but seat beltsTo do so, we must fully understand the new risks and securitywere not offered as standard equipment until 1958. Clearly,challenges unique to this technology. The following sectionstechnological advances allowing cars to travel much farther anddescribe several major security concerns of virtualizedfaster outpaced advances in safety. Likewise, new virtualization environments.capabilities are currently being introduced at a pace that chal-lenges risk mitigation solutions. While mature virtualizationIsolationplatforms have strengthened their inherent security capabilities In order to safely consolidate servers and allow a single physicalover time, new virtualization products with widespread appealserver to host multiple virtual machines, virtualization uses logi-and poorly understood security capabilities are now on the cal isolation to provide the illusion of physical independence.highway. No longer able to verify that machines are separated by network cables and other physical objects, we rely on the hypervisor andIn response, organizations must buckle up. They should under-other software-based components to provide these assurances.stand the new security risks that are introduced in virtualizedThis becomes increasingly important when workloads fromenvironments, and then evaluate new security solutions speci- users of different trust levels share the same hardware. Incally designed to address these new virtualization securityorder to properly contain information, administrators must paychallenges. Yes, virtualization introduces new concerns, but itspecial attention to conguration settings that affect virtualalso provides an opportunity to extend defense-in-depth to machines and network isolation, as well as continuously monitornew and unique areas of integration. As we optimize security the entire infrastructure for changes that could result in leakage of sensitive data. 6. 6 Securing virtualization in real-world environmentsServer lifecycle and chang


View more >