I've been doing a bit of writing and speaking on panels recently on the topic of virtualization and the impact that it has across the entire spectrum of risk; I think it's fairly clear to most that virtualization impacts all aspects of the computing landscape, from the client to the data center and ultimately how securing virtualization by virtualizing security is important.
Gartner just released an interesting article that says "Organizations That Rush to Adopt Virtualization Can Weaken Security." Despite the sensationalism that some people react to in the title, I think that the security issues they bring up are quite valid.
I'm glad to see that this study almost directly reflects the talking points that we've been puttering on about without any glaring omissions as it validates the problem space; it doesn't take a rocket scientist to state the obvious, but I hope we get solutions to these problems quickly.
Granted these are fairly well-known issues but most folks have not looked deeply into how this affects their overall risk models:
Organizations must consider these security issues in virtualized environments:
- Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.
- The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth.
- Patching, signature updates, and protection from tampering for offline VM and VM "appliance" images.
- Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.
- Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
- Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).
- Mobile VMs will require security policy and settings to migrate with them.
- Immature and incomplete security and management tools.
I'm going to be presenting something very similar at the ISSA Metro event in Charlotte on April 10th. I'll upload my presentation ahead of time for anyone who might find it useful or interesting.
/Hoff