virtualization security: reducing risk in it virtual reality · virtualization security: reducing...
TRANSCRIPT
Virtualization Security: Reducing Risk in IT Virtual Reality Virtualization can reduce data center costs exponentially – if security is a mainstay of implementation
TABLE OF CONTENTS
Introduction…………………………………… Virtualization Security: An Overview……… Major Virtualization Threats………………… Implementing Virtualization Security………
I. Technology Considerations…………
II. Operational Considerations………….
Summary………………………………………… Footnotes……………………………………….
Virtualization is revolutionizing how data centers operate. The technology created for mainframe computers decades ago increases server utilization dramatically, while reducing the capital outlay required to support enterprise applications that are bursting at the seams. But virtualization can’t reduce a key aspect of enterprise IT – security. Unless security is tailored to fit the specific requirements of today’s virtualized environments, virtualization can increase a firm’s level of security risk. This eBook details the security issues that server virtualization introduces and describes ways to address them effectively.
INTRODUCTION
Virtualization has taken hold in data centers worldwide. In a recent TechWeb survey, server virtualization beat the use of quad core servers, wireless LANs, commercial open-source software, and other trendy technologies favored by IT managers worldwide. (Footnote 1 and Figure 1) nearly 77 percent of InformationWeek 500 companies reported they’ve deployed server virtualization widely, up from just 46 percent a year ago.
(Figure 1) InformationWeek’s survey shows virtualization tops the list of technologies deployed in IT groups among top U.S. enterprises.
According to IDC, in the second quarter of 2008, virtualization license shipments grew 53 percent year over year; of the total, the x86 server segment grew fastest at 60
percent.(Footnote 2) IBM has reported even greater adoption of virtualization on its Power Systems line of Unix servers – 64 percent in the second quarter of 2008. (Footnote 3)
There are many reasons to deploy virtualization: It saves hardware costs by duplicating the functions of multiple servers on a single machine. Three to five vendors can be removed by one virtualization implementation, according to Joshua Corman, principal security strategist for IBM's Internet Security Systems unit. Virtualization saves power, cooling, and space; it streamlines provisioning and management functions, including disaster recovery; and it facilitates advanced techniques of load balancing. Virtualization also improves utilization. According to Nemertes Research, virtualization will enable firms to squeeze anywhere from 5 percent to 95 percent more work out of existing servers.(Footnote 4) Indeed, not using virtualization could cost you. According to the Gartner Group consultancy, companies that do not leverage virtualization can expect to pay more than 40 percent for equipment and 20 percent more in administration costs.(Footnote 5) But despite the many cost benefits, virtualization’s benefits don’t include security. While virtualization changes the way IT runs in very real ways, it does not change the stringent security requirements typical of any IT endeavour. Indeed, virtualization has appeared on the scene at a time when security is escalating in complexity and urgency for enterprise managers. This eBook examines security issues in virtualized environments and suggests best practices for dealing with them. Note: Though we will primarily discuss server virtualization in this eBook, the principles outlined here could apply to other forms of virtualization. VIRTUALIZATION SECURITY: AN OVERVIEW Virtualization introduces a new set of risks to the enterprise. This isn’t to suggest that virtualization has a higher risk profile than other technologies, just that it has a fresh risk profile that needs to be addressed. To understand the security aspects of virtualization, it helps to review the technology itself, with a view to its chief vulnerabilities.
-------------------------------------------------------------------------------------------------------------------------------
BOX: Server Virtualization Defined
Virtualization is the logical abstraction of physical computing resources (OS, application, switches, storage, networks) designed to create computing environments that are not restricted by physical configuration or implementation. — Joshua Corman, Principal Security Strategist, IBM Internet Security Systems
The principles of virtualization are graphically depicted in the diagram below:
(Figure 2) Virtualization divides hardware resources among multiple virtual machines.
Virtualization operates in a number of ways. Most virtual environments are based on the notion of a hypervisor, or dedicated operating system, that divvies up server resources among multiple virtual machines, or guests. Some choices are shown in Figure 3 below.
(Figure 3) There are many approaches to implementing virtualization.
While there are many fine points of differentiation among virtualization platforms, two fundamental approaches are popular. We can term them Type 1 and Type 2. A Type 1 virtualization system is closely linked to a dedicated hardware platform and bypasses the use of an underlying pre-existing operating system. A Type 2 platform relies on a specific operating system to interact directly with the underlying hardware. As we’ll see shortly, Type 2 virtualization can pose additional threats to production networks. (Figure 4) Type 1 virtualization works directly with server hardware; Type 2 relies on an additional layer of operating system software.
Let’s take a closer look at the specific threats involved in virtualized environments.
MAJOR VIRTUALIZATION THREATS
The primary element of virtualization risk is that the technology multiplies software and data images regardless of the underlying hardware. This multiplies security threats associated with any server.
Added to these primary threats to virtualized environments are specific threats, which are increasing as hackers and cyber-criminals turn their focus to virtualized infrastructure.
(Figure 5) Server applications and operating systems present well known threats for IT managers; new threats emerge with the use of virtualization hypervisors, management software, and virtual machines.
Most virtualization software offers disaster recovery and “sandboxing,” a technology that isolates certain activities to specific portions of a virtualized environment. Sandboxing involves partitioning virtual space, and it improves some aspects of security. But it does not reduce threats that are particular to virtualized environments. Indeed, these keep growing year by year:
(Figure 6) Over the past several years, threats to virtualized environments have expanded dramatically, even as companies have reported fewer IT security problems overall.
Threats specific to virtualized environments fall into three general categories:
— Traditional server threats: Virtual environments are just as susceptible to malware, viruses, rootkits, Trojans, worms, and other security-compromising software as any other servers. Indeed, the proliferation of multiple virtual servers multiplies the exposure to denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks; man-in-the-middle attacks; attacks that force buffer overflow; SQL injection attacks; and access control and integrity violations.
— Attacks on the hypervisor and/or virtual machine guests: A variety of new attacks has been devised against specific elements of virtualization. Hypervisor-based rootkits, for instance, have been featured at security industry events such as Defcon and Black Hat. Virtual machines have been hijacked, their data cached and relayed. Particularly vulnerable are virtualization management systems. In one notorious case, a big-city network’s new virtualized environment was invaded by pornographic images and malicious code, due to compromised management software. (Footnote 6)
— Data corruption: A major aspect of virtualization security is guarding data from inadvertently being mingled among VMs or guests. This kind of data mingling can easily put a business out of regulatory compliance, particularly in the financial sector, where auditors insist on separate platforms for primary and backup copies of financial records. Data mingling can happen purposefully or accidentally. It can be caused by operational factors such as poor management and/or separation of duties among personnel working in virtualized environments.
Though the big-city network hack described above is one of just a few cases of virtualization-specific attacks that have made headlines, experts warn against another key threat: complacency. “There’s going to be a lot more investment in malcode, and less disclosure of vulnerabilities,” warns IBM's Corman. Companies that skimp on security as they adopt virtualization are asking for trouble.
Sometimes, firms seem to think virtualized environments are somehow immune to the kinds of security threats that plague regular servers. “A couple of weeks ago, a company running Internet banking in a virtualized environment phoned us at 8:30 on a Thursday evening. Their banking security was exploited by a customer who had passwords,” says Christopher Karr, president of UberGuard Security Consulting. He says the firm wound up paying close to five times more for a security assessment (or roughly $25,000) than they would have before production – and before their servers, virtual or otherwise – were hacked.
-------------------------------------------------------------------------------------------------------------------------------SIDEBAR: Survey: Virtualization Security Takes the Back Burner
In a survey conducted at the VM World tradeshow in September 2008, over 80 percent of 300 respondents reported that virtual security was “very important to critical,” though just 35 percent say they’ve adopted it. Another 37.8 percent claimed to be evaluating their options, and 32.4 percent have no security solutions planned or implemented. Over 60 percent of respondents admitted having to comply with specific data security regulations. “Companies recognize the benefits of virtualization, but are slower at implementing the security measures needed,” Chris Schwartzbauer, VP of worldwide field operations for Savlik Technologies, the poll’s sponsor, told Kelly Jackson Higgins of online publication Dark Reading, earlier this year.(Footnote 7)
IMPLEMENTING VIRTUALIZATION SECURITY
I: TECHNOLOGY CONSIDERATIONS
Security isn’t something that can be added to a virtualized environment after the fact; it must be designed into the virtualization system itself. This calls for attention to the way a virtualization product is designed. The following suggestions can be helpful to ensure that virtualization does not create more problems than it solves:
Make sure a hypervisor has a purpose-built OS. A software hypervisor is the core of the virtualized network, responsible for creating virtual machines and ensuring they run properly. Generally speaking, the hypervisor is more secure when it is linked to or assisted by the underlying server hardware – Type 1 virtualization. This is the kind of “bare metal” virtualization IBM developed in the 1960s for use with its mainframes. Contemporary Type 1 hypervisors include the Citrix XenServer, IBM’s Power Hypervisor, Microsoft’s Hyper-V, the Parallels Server, and VMware’s ESX Server, to name a few.
In contrast, Type 2 hypervisors rely entirely on software – typically, a general-purpose operating system such as Linux – to achieve virtualization. Examples of Type 2 hypervisors, sometimes known as hosted virtualization engines, include VMware Server (formerly known as GSX),
Microsoft’s Virtual OC and Virtual Server, Sun’s VirtualBox, and Parallels’ Workstation and Desktop.
By their nature, Type 2 hypervisors run as applications within a server’s OS. This adds to the layered effect of the software on the server, multiplying the points of attack exposure. Further, Type 2 hypervisors typically force the server’s general-purpose OS to operate at a lower privilege level than the hypervisor, obviating or at least displacing the security formerly afforded to the OS kernel.
Type 1 virtualization engines are less stratified than Type 2 systems, and therefore have less security exposure. One may assume that they are safer than Type 2 for any production applications.
Aim for as small a hypervisor as possible. In general, putting more functionality inside a hypervisor exposes it to greater security risk. Some suppliers, for instance, emulate multiple devices inside a hypervisor as they create virtual machines and move them around a network. In contrast, it is often more desirable to have functions take place independently of the hypervisor. Some suppliers use proxy elements to transact functions between the hypervisor and other network entities. IBM, for instance, uses a virtual I/O server to manage the links between real devices in a network and virtual machines.
(Figure 7) A virtual I/O server makes devices on a network available to virtual machines – without requiring extra processing in the hypervisor itself.
Explore how live migration is achieved. The movement of virtual machines from one physical server or network to another adds another vulnerability to virtual infrastructure. Make sure you’re satisfied with a vendor’s design for protecting VM migration. One thing to watch for is the extension of VLANs and other time-tested approaches to networking in the virtualized environment. In IBM implementations, logical partitions (LPARs) on each physical server are managed by virtual I/O servers to share a limited number of peripherals and networking devices among VMs. One customer, Europe’s SWK utility, for instance, uses this kind of setup to support a complex service application, as noted below. Sidebar: Securing A Virtual Environment for Business Stadtwerke Krefeld AG (SWK) provides energy, water, natural gas, district heating, public transport, and waste management for more than 240,000 inhabitants of German’s Krefeld region. In response to EU energy market regulations specifying that billing and general business applications be hosted on separate systems, SWK upgraded a SAP application on two IBM System p5 590 servers. SWK has placed a virtual I/O server and 15 to 18 LPARs on each physical server, allowing VMs to quickly and easily share physical I/O adapters and underlying processing power. “CPU capacities can be assigned very easily, and we can ensure that each LPAR is given the correct I/O resources without patching LAN- and SAN-networks, allowing our service levels to be met without wastage. Processor capacity utilization is therefore much higher
than with previous systems, and we have not had to over-invest to meet our performance targets,” says Georg Baran, IT production manager at SWK. ------------------------------------------------------------------------------------------------------------------------------- Look for designs that implement security outside the client or VM. In the most secure virtualized environments, virtual machines do not play major roles in their own security, although they do have security features. They are hostile to any other entities, including other VMs or even the hypervisor, unless they are otherwise configured. One VM would not even be aware of others unless it were configured to be aware. In addition, virtual LANs, based on real network addresses, can be used to separate virtual machines and ensure further levels of security.
Investigate management capabilities. A virtualization system’s management functions are its most vulnerable element – and also its most crucial. It is vital to establish audit trails for virtual machines. This kind of monitoring will establish when VMs were created and on what actual hardware, and where they moved within the network. It will be particularly important to have this information for virtualized infrastructure in financial institutions and other regulated entities.
Implement wisely. In addition to the foregoing design guidelines, some setup suggestions may also protect against security problems caused by technology:
• Install security on each guest VM. As noted above, don’t rely on VM security, but also, don't assume that security in other parts of the virtualized environment will cover all contingencies.
• Apply network-based security. Again, cover all bases. If you’re using VLANs for virtualization management, you’ll want to adjust firewalls and routers accordingly.
• Lock down the management console. The management infrastructure is the key to the virtualization kingdom. Make sure it's safe.
• Use standalone security appliances. This layer of security can ensure that nothing in a virtualized environment is exposed unnecessarily.
II. OPERATIONAL CONSIDERATIONS
Virtualization security relies on smart organizations policies. Without these, a virtual environment can be compromised even if its technology is the best.
“The key with virtualization is internal controls that address the risks like any other IT environment,” says Darrell Brown, founder of Trinity Security Co., a security consultancy. “When moving to a virtual environment, companies should perform a review of their processes and control environment.”
Here are some suggestions for covering the bases operationally:
Establish clear roles and responsibilities. Who owns the virtual environment – network administrators, server admins, application owners, data custodians? Any ambiguity about who will be in charge of controlling and configuring virtual machines will translate into potential mistakes and security failures. Setting workable security policies requires that roles be assigned up front. In most organizations, the virtualization team will include representatives from a range of departments.
Set policies beforehand and adjust them as needed. One risk of virtualization involves the crossover of data from one virtual machine to another. Strict use guidelines can reduce the risk of cross-contamination of data and applications. Determine which servers can be clustered and
which can’t. Anticipate that changes will need to be made, and set up a way to ensure they can be made with minimal disruption. Pay particular attention to provisioning controls. The introduction of live migration of VMs requires rock-solid control to avoid “virtual sprawl” and the associated security risks of losing track of virtual resources. Involve security personnel from the start. Security experts should be part of any virtualization design plan. This can ensure full understanding of the risks and adequate safeguards. Establish a workable and reliable management and audit trail – and store it off the virtual infrastructure. “How do I know that the template or deployed virtual machine, router, etc., is the version that I want on my network? I need to be able to review a change to a template and ensure that it meets the baseline expectations of my network,” says Trinity's Brown. “Many companies store these templates in a repository on a host – possibly the same host where the VM will be deployed. This poses some challenges for ensuring the integrity of the VM template.”
SIDEBAR: Compliance & Virtualization
Virtualization puts an entirely new face on the issue of compliance with data storage regulations. For example, will putting data on a virtual machine be accepted by auditors who expect to see data stored for backup on a separate platform?
Experts say it’s vital to include auditors in setting up virtualized environments. Make sure they will be satisfied with the setup, and clarify with them the expectations for storage of data on VMs.
It’s also important to safeguard live migration and connectivity in the virtual environment to ensure that “data leakage” between VMs does not occur.
To ensure compliance, security consultant Darrell Brown suggests paying close attention to process controls throughout the virtualized infrastructure: “Most companies do not include a validation step in their deployment process ensuring the appropriate baseline still exists [when a VM template] is changed. Second, how do I ensure that I have the most recent version of a template? I would suggest that a good resolution to this is using a content management approach, where a file has to be checked out for any use.”
Brown suggests patch and license management also be incorporated into management of VMs, to ensure that data isn’t corrupted during updates, or that companies aren’t exposed to lawsuits by inadvertently posting an outdated or illegal version of software on a VM.
SUMMARY
Virtualization offers many benefits to IT managers. But unless security is a priority in implementation, threats to the virtual environment can cause more problems than virtualization solves.
In summary, virtualization security involves the following elements:
• Design: Distributed functionality that follows solid software design principles and duplicates standard network controls and security parameters
• Operations: Management and reporting of virtual resources that reflect thoughtful chains of responsibility and command within the organization and include security personnel
• Compliance: Distinct platforms for applications, set up to ensure integrity within each VM and across the virtualized infrastructure.
Organizations that fail to study and organize their approaches to meeting these basic requirements expose themselves to a growing and very real peril.
FOOTNOTES
(Footnote 1) InformationWeek 500 Trends report by Chris Murphy, September 16, 2008.
(Footnote 2): IDC Worldwide Quarterly Server Virtualization Tracker, 2Q2008.
(Footnote 3): Worldwide IBM data from online configurators used by IBM sales personnel, customer and business partners to order Power Systems. 2Q 2008 data includes all unified Power systems (POWER6-based).
(Footnote 4): Interop presentation by Johna Till Johnson, Nemertes Research, September 2008.
(Footnote 5): Cited by Joshua Corman, IBM Internet Security Systems, in Interop presentation, September 2008.
(Footnote 6): Ibid., Joshua Corman, September 2008.
(Footnote 7): “Survey: Virtually No Security in Enterprises’ Virtual Systems,” by Kelly Jackson Higgins, DarkReading, Sept. 26, 2008