Malicious hypervisors. Subversive virtual machines. Live migration impersonators. Welcome to the world of virtualisation, where the threats are new and the traditional security tools such as firewalls and intrusion-prevention systems don’t cut it anymore.
Unfortunately, at many enterprises, security strategies haven’t kept pace with the move to virtualisation. For their part, IT pros tend to look at it this way: Since physical and virtual servers run the same Linux and Windows operating systems on the same hardware, then security for the former is adequate for the latter. This could be fatal.
“Many companies that have embarked on virtualisation haven’t contemplated about the security ramifications yet. All those threats in the physical world are relevant in the virtual world too and it can be ten times worse because your virtual desktops and servers are hosted in the data centre,” says Chris Moore, Regional GM, Trend Micro.
Industry experts say the general awareness level of issues related to virtual security isn’t quite where we need it to be. “Awareness is definitely lagging behind. One of the major reasons for this is that information security isn’t initially involved in the virtualisation projects. It is quite easy to get overwhelmed by the business benefits of virtualization and forget to evaluate the security risks involved in a virtualization project,” says Arun George, Technical Sales Manager, HP TippingPoint.
Agrees Nicolai Solling, Director of Technology Services from help AG Middle East: “As for the many projects we’ve been involved in, the focus has mostly been on taking a lot of servers and systems and consolidating into one piece of hardware thereby saving on operational costs of a data centre environment. So far we haven’t seen a great focus on security within the virtual environment. One of the reasons for this is probably the fact that even in the existing data centre the security segmentation within the data centre is fairly limited and security focus in most designs has been to segment and control user traffic going into the data centre but not necessarily controlling the traffic within the data centre.”
Another issue is that IT needs to figure out what to do about the network blind spot that virtualization creates, as none of the network-based firewalls or IPS in the physical world can see the traffic being switched between two virtual machines in the same box.
“Our existing security architectures come from decades of practice in deploying physical systems – we’ve got rack switches that interconnect the servers on the rack, end of row switches that interconnect the racks and core switches that interconnect everything. Network and security management has been built around this three-tier architecture,” points out Deepak Narain, Senior Technology Consultant, VMware.
In an elastic virtual environment, where a single server could host many different kinds of services, or a virtual machine can hop around from rack to rack, this architecture won’t be able to keep up. And, you’ve got a new layer of networking to factor in – the virtual switch. “I could implement multiple virtual data centres inside a physical data centre – and it all may be in the same rack, possibly even the same server,” adds Narain.
As a result the network is flattening and the definition of the network perimeter has changed. Unless security tools are enhanced to become virtualization aware – in many cases, they need to become virtual machines themselves – they will not be able to provide the same level of functionality in the cloud as they do today.
Many enterprises haven’t focused on virtual server security because their virtualisation deployments are immature. When virtual servers are just used for test and development purposes or for running non-critical, low-priority applications, security doesn’t much matter.
But that changes as a virtualisation layer moves into the production environment to host mission-critical applications. The deeper entrenched virtualization becomes, the greater the need to deploy security technology specifically aimed at protecting the virtual infrastructure.
The new reality
How do you protect your VMs and traffic between them? Do you need to think of a security posture that is similar to the physical environment? Experts believe running IPS or a copy of anti-virus in the hypervisor would defeat the whole purpose of this layer being very thin and hardened. The whole idea behind virtualisation is flexibility and companies have to strike a balance between usability and security.
“The challenge around security in a virtualised world is slightly different than the physical world. Most customer are looking to take advantage of the visualized world and not necessarily overload the system with heavy-duty protection. However, like any environment, be it physical or virtualised , security controls are a must , and the traditional solution should have the ability to integrate with this new era of technology,” says Essam Ahmed, Regional Presales Manager MENA, McAffee.
Security vendors on their part have stepped up to take the bull by horns. These include start-ups such as Altor Networks, Apani, as well as well-established security vendors. Besides HP TippingPoint, this latter group includes CA Technologies, for security functions such as access control and log management; Juniper Networks, which has a strategic alliance with Altor; IBM for IPS; and Trend Micro, which acquired virtual security start-up Third Brigade.
For its part, virtualisation leader VMware has taken many security controls and pushed them into the virtualisation layer via its vShield family. “We are delivering some of the traditional network security services as virtual machines themselves, or partnering with the security vendors and providing them the right APIs to hook into the virtualization layer to provide the same – and often even better – guarantees that they can in the physical world,” says Narain.
While evaluating virtual security products, IT manages are advised to select those that are optimised to run inside the virtualisation environment and have been integrated into virtualisation frameworks from Microsoft, VMware and Xen-based virtualisation vendors.
“From a security strategy point of view, IT managers should include steps to protect both physical and virtualised data centres in a compliant, secured and controlled manner. The security vision should be to maintain the same security policy in the physical data centre as well as in the virtualised data centre,” says George.
Just as virtualisation enabled massive cost savings and efficiency gains, it is a real game-changer when it comes to security. Contrary to the popular belief, virtualisation is not inherently insecure, but it gets deployed insecurely today. But this problem will go away over the next three to four years as IT staffs, vendors, the tools and skills mature.