Rush to deploy virtualization leaves security gaps

Server virtualization is a no-brainer--it's quick to deploy and easy to justify in terms of cost-savings--but too many companies are deploying the technology without considering the security implications.

Server virtualization has been the hottest trend in enterprise IT for some time and according to IBRS analyst Kevin McIsaac, it's likely to remain that way for the next two to three years.

IBRS estimates that one in three large Australian organizations has deployed server virtualization within their data center, and nearly every medium to large enterprise has at least looked at a pilot for the technology.

But as the push to consolidate physical servers intensifies, questions are being raised as to whether new virtual servers are being deployed with adequate security measures in place.

Hypervisor hackers
Virtualization software uses programs called hypervisors, which allow multiple operating systems to run on the same hardware.

Hypervisors have to date been considered fairly secure programs, in that they tend to carry a smaller footprint than an operating system and thus carry a lower potential for security holes.

"I don't know if anyone has ever seen a working prototype or found a virus in the wild that attacks the hypervisor," McIsaac said. "There is a lot less code in a hypervisor, only a fraction of what's in an operating system, and unlike an operating system, you won't find a hypervisor surfing the Internet and downloading code."

That said, the hypervisor is an obvious target for hackers. If compromised, it could potentially provide access to a range of services within a virtualized machine, rather than to a single service in a standalone box.

Security analysts and white hat hackers have done their best to crack the hypervisors of the leading brands, to little success. Malware researcher Joanne Rutkowska talked up an attack method called "Blue Pill" at a recent security conference in August, but this has since been debunked by several industry figures as detectable and addressable.

Most of the reported hacks of virtualization software, reports VMWare systems engineer Andrew Kemp, are clutching at straws. One exploit, he said, which has since been patched, required the attacker to physically be inside the server room, logged on at a specific time and using a specific version of VMWare's ESXs software.

"If you have someone in your data center, you've got plenty of other problems to worry about," he said.

Nonetheless, there is no shortage of hackers having a crack at the technology.

Gartner security analyst Andrew Walls says it's a sure bet that there are people in the hacker community "trying to develop exploits that target the hypervisor."

A process problem
It's for this reason that Gartner vice president Neil MacDonald released a controversial statement in April warning organizations not to rush into deploying server virtualization without studying its potential for security risks.

MacDonald argued that hypervisors represented a "new layer of privileged software" that needs protection, and said that virtualization vendors and their third party tool developer partners were releasing "immature and incomplete security and management tools."

This sentiment didn't go down to well in the virtualization vendor community, who decried the statement as being alarmist.

Nonetheless, Gartner's Walls claims he was trying to make a very important point about virtualization and server consolidation projects.

Virtual servers, Walls explains, are quick, easy and cheap to deploy, and as such can be deployed with the kind of abandon that has little regard for security.

It's a risk that is coming to be known as "virtual machine sprawl".

Without the right user rights and privileges controls in place, virtualization tools allow knowledge workers to deploy a new server instance or virtual machine without the consent or control of IT security staff.

"The main risk Gartner sees is to do with the segmentation of duty," Walls said. "It's about organizational structure, not technology."

In the non-virtualized world, Walls explains, it's always been fairly clear as to what the protocol for IT security is.

In larger organizations, security concerns have often warranted dedicated staff. So while the IT admin team is responsible for the day-to-day running of new servers, the security team try to monitor and maintain control.

"You need to be careful that the use of virtual servers doesn't erode any responsibility," Walls said. "The big advantage to virtualization is the speed of deployment. You can deploy ten new servers in an hour. But when you have a much faster deployment model, you can rapidly increase the number of targets for attack."

If the rush to deploy new security is left to IT admin, Walls said, there is a potential for the quality of security processes to be compromised.

"IT seeks to optimise performance, to deploy new instances, at reduced cost," he said. "They are strongly motivated to meet the needs of the business, which is always pushing to offer new services and thus new server instances. Security sometimes gets left out."

"Each time a new server is implemented or a new server instance is deployed, you need to ensure that the same governance controls and change controls are applied to this virtual environment as a new server," he said.

Choose carefully
Walls said there is no single virtualization vendor he would favor over another in terms of security.

That said, its safe to say that the less code a hypervisor contains, and the less access available to that code, the more secure the solution.

"There are a lot of skinny hypervisors, and a lot of fat ones," Walls said. "Generally the more functionality it has, the more prone it will be to exploits."

The VMWare hypervisor's footprint is among the thinnest, with the solutions available from Microsoft and the open source movement being a little fatter, he said.

VMWare's Kemp argues that the security vulnerability of one solution can come down to how the vendor manages drivers within the hypervisor.

VMWare, he said, has a "direct hardware model", which sees the vendor write its own binary access to the specific hardware devices the software is compatible with. That, in affect, is why VMWare's hypervisor will only work with a select amount of hardware.

Some of the vendor's competitors, he said, have implemented a "master domain model" in which hardware drivers are written by third parties and stored in a container mechanism.

"We investigated that model thoroughly as far back as 1988--but the security implications drew us away," Kemp said. "The risk of exposure is increased when more people are writing the code."

Security benefits?
For any potential risks that virtualization poses, it can equally be argued that a correctly implemented solution can actually harden an organization's security.

In the network, virtual servers can be deployed as firewalls or monitoring tools--additional defenses against attack.

Using virtualization, sensitive applications can also be consolidated together on hardware that is better protected than the rest of the server farm.

On the desktop, users can use virtualization to conduct their routine Web surfing on a separate partition to the one they use for making sensitive financial transactions, protecting themselves from malware, fraud and identity theft.

That said, one needs to remember that like any software, one can never assume that virtualization tools are beyond attack.

"I am perfectly confident that somebody will write an exploit for the hypervisor," Walls says. If it's any guide, he said "we still haven't built the perfect operating system yet!"