By Mike Small
As the market for virtualisation products continues to swell, CA’s Mike Small warns that all aspects for security need to be considered – if an enterprise is to avoid future catastrophe.
Virtualisation raises a number of security issues, since a single compromise of the hosting platform puts the entire virtual data centre at risk. The shared administration of multiple virtual machines at the host-system level can imply new risks, as can the possibility of shared access to resources which were once separated by hardware boundaries. This is crucial for personal data, which is protected by law. These concerns become particularly important when organisations outsource operations; in other words, when administration is being performed by third parties.
Yes to virtualisation . . . but not without protection
Organisations are adopting virtualisation technology to reduce total cost of ownership and improve quality of service of IT systems. This strategy provides the operational foundation to consolidate critical services and sensitive data that were once scattered amongst distributed system deployments. From a security standpoint, not only are the security issues found on networked systems applicable to virtual machines, but the virtualisation platform and guest virtual machine introduces a new breed of security threats.
According to a Global Virtualisation Management survey conducted on behalf of CA during October and November 2007, respondents worldwide are most likely to rate security as a challenge when managing server virtualisation initiatives.
Given the leverage the virtualisation platform has on the stability of the entire data centre and on integrity of the data it manages, it must be viewed as critical infrastructure.
To reduce virtualisation security risks, an independent access enforcement technology must be employed in conjunction with system security measures. Some of the vulnerabilities that were traditionally controlled by the presence of physical security must now be mitigated through the implementation of granular access controls on the virtualisation platform.
An effective solution must ensure that only authorised users perform authorised operations on the hosting system. This reduces the risk due to over-privileged accounts or external intrusions which may compromise the gateway to guest images. Machine-to-machine protection through virtual isolation should be supplemented by access enforcement amongst them. Centralised management of security policies is critical to minimising deployment and administrative costs. Finally, all sensitive administrative activities on both the hosting operating system and guest virtual machines must be closely audited for compliance requirements as well as risk mitigation.
Virtualisation security risks
Lack of Separation of Duties:Without an independent access control solution, multiple administrators in various roles have the ability to interact with numerous components of a virtualisation deployment.
This inadequately regulated access to the virtualisation platform presents the potential for significant damage to the enterprise through the compromise of valuable information and disruption of critical services. VM images can be copied along with the data and applications that they hold. These images can be brought back online on an unsecured computer, making it easier for an intruder to access the contents managed within the copied image.
Insufficient Security via Isolation: A perceived security benefit of virtualisation is that the isolation of services in dedicated VMs protects services from being affected by a compromised sibling service.
Unfortunately, the assumption that VMs running on the same host are isolated and cannot be used to attack each other is not accurate.
While technically separated, VM partitions still share utilisation of resources such as network bandwidth, memory and CPUs. Any partition consuming a disproportionate amount of one of these resources because of a virus or malicious change of configuration could create a denial of service for the other partitions. Inadequate Auditing:Given the leverage the virtualisation platform has on the stability of the entire data centre and on integrity of the data it manages, it must be viewed as critical infrastructure. As a result, the virtualisation platform is subject to tight regulatory requirements.
Organisations must track the interaction that each user has with the virtualisation platform and within each of the VMs it hosts. Native audit capabilities provided by operating systems are too coarse to be effective and are vulnerable to tampering. Access to the hosting operating system must be monitored and audited to prove controls have ensured its integrity. Similarly, within each VM access gained to each guest operating system is subject to the same compliance requirements. Protecting the virtual environment
An extra layer of protection is needed to effectively protect virtualisation platforms. This layer needs to properly identify administrators and enforce the principle of least privilege to protect the mission-critical information and services running in the virtual data centre. This should be capable of protecting virtualisation deployments at multiple levels: operating systems hosting a hypervisor, operating systems implementing operating system-based virtualisation, privileged partitions managing hypervisor based virtualisation and the critical resources in VMs running on all of the above.
There should be granular segregation of duties to limit each administrator’s privileges to the minimal set necessary to perform their job function. This mitigates the risk associated with unauthorised access to confidential information or critical services. This must include the containment of the superuser account by assigning permissions to specific roles and transparently enforcing these permissions. For example: limiting system administrators of a VMware ESX Server to root operations, such as applying patches to the system, while denying access to the VM file systems and daemons.
Operating system hardening also provides an extra layer of security to protect VMs, hosting operating systems and privileged partitions against Trojan or malware attacks. Even in the event that one VM becomes compromised this is able to prevent the propagation of negative effects to other VMs. Regulating incoming and outgoing network traffic based on ports, connection methods, originating sources, network attributes and time is also important. This network protection is necessary to restrict the communication between the VM images themselves, but more importantly between the images and the hosting operating system or privileged partitions.
All management, servicing and security configuration sessions on the hosting and guest operating systems need to be securely audited maintaining the user’s original ID even after the user performs a surrogate operation. Only those in the auditor role should be able to access the audit files and only in read-only mode, ensuring that the forensic integrity of the files remains intact.
While virtualisation enables the consolidation of physical machines it fails to provide a solution for the consolidation of security management. There should be centralised management of user accounts, passwords and security policies across all virtualisation hosts managed from a single administrative console.
There is no question that virtualisation offers compelling tangible benefits to an IT organisation. However, while realising these gains, organisations must be mindful that virtual environments require security just as much as their physical infrastructure had. In fact, in many ways, virtualisation intensifies the risks associated with server OSes.
Risk can be managed first by limiting each administrator’s access to the minimum set necessary to perform their job function. Protection from external threats is more critical given the reliance of VMs on a common physical platform and resources. Finally, compliance regulations dictate that organisations must be able to prove that appropriate access controls are available and in place.Mike Small is a principal consultant for security management at CA.