Server Virtualization Security: Transformational model or just another buzzword?

The first problem with virtualization is that the term is massively overloaded with different technologies spanning a plethora of business problems. Nonetheless, fundamentally virtualization is about the encapsulation of an entity and abstraction from the traditionally closely linked operating environment, whether that be an OS from hardware, an application from the OS, or perhaps storage/location and so on. One could spend the entire length of this article talking about any one of these developing technologies but in this instance we will focus on server virtualization. Server virtualization is the most adopted virtualization technology in the enterprise, allowing significant consolidation of physical resources by virtue of layering multiple systems on a piece of hardware managed by a hypervisor. This technology is however not only popular for consolidation, it also makes it significantly easier to achieve fault tolerance and high availability in the enterprise due to easier portability of systems across hardware. Increasingly, virtualization technology is the underpinning of the enterprise datacenter with many enterprises electing to follow a 'virtualization first' policy for all new systems. Unsurprisingly for such an adopted technology hosting the critical services for the enterprise, security has become a hot topic quickly.

Ignoring for a moments the existing technologies and theories around virtualization security, it is apparent that there are areas that require improvement in a virtualized world and equally that there may be opportunities to provide better security with a different model. The key concerns of the server virtualization security administrator are performance, management and a tertiary concern as to how to improve security further. Performance is often the greatest gripe. Having embarked on a project to consolidate resources and enhance performance using virtualization, administrators are frequently faced with poor performance by their endpoint security products, which whilst they are designed to be lightweight they are also generally designed with the assumption of free resource due to operating on a single system to each hardware device. Normal activities such as scheduled scans or updating checks which would normally occur in the background on a traditional system can be triggered simultaneously causing huge load to the virtualization platform as a whole and degrading delivery. There is also a mass of market hype about new attacks that are possible due to virtualization technology and the ability to use the hypervisor to circumvent the system in new ways. There are certainly some interesting proof of concept attacks and some precedent for vulnerabilities in the virtualization software, blue pill for example, but the greatest threat in these environments is still the traditional malware or hacking threat - the same threat that was present when machines were physical. It is however likely that as the use of virtualization increases and valuable data resides on these systems more 'virtualization' specific attacks will become prevalent.

This leads us to the new models using the hypervisor to do introspection on multiple virtual machines from a single security VM. The theory is fantastic, enabling consolidation of the security functions to enhance performance significantly, but whilst these introspection technologies offer interesting visibility - and they do have some practical uses today, e.g. for conventional firewalling - they do not yet provide a credible replacement for endpoint security. Modern endpoint security requires application, user and data context to work effectively. The understanding that anti-virus works on signatures and can be performed by just calculating deterministic hashes is indeed myth. Modern endpoint security inspects the browser for exploit as the majority of malware enters the enterprise via the web, is distributed from compromised legitimate websites and exploits the browser, and it observes the runtime operation of programs for bad behaviour and understands the user behaviour or data being acted upon. Getting all of this visibility from a hypervisor dealing with CPU states, memory I/O and other such very low level information is next to impossible, particularly with present models. An agent running inside the machine to provide that visibility is still required, but that doesn't mean that introspection security doesn't offer any benefits. Rootkits are increasingly being deployed as part of other forms of malware. Detecting and removing rootkits that circumvent the kernel is very difficult for an agent sitting inside the compromised environment. Introspection security either via an API or looking at the virtual disks makes detection of these nasties significantly easier as you can scan for their presence without their manipulation of the operating environment.
In summary whilst virtualization specific attacks are developing, today the greatest risks to virtualized server systems are the same as their physical counterparts. New virtualization security technologies hold promise and are being aggressively developed by virtualization vendors and security vendors, but are yet to become an effective replacement for endpoint security inside the virtual machines.

Monitor virtualization security closely, but today the top tips are:

Ensure your patching process includes your virtualization technology. Vulnerabilities in the virtualization software could leave you exposed as they increasingly become a target.
Follow endpoint security vendor best practices for performance tuning on virtualization platforms to aid performance issues attributed to endpoint security on these platforms. Don't buy in to bleeding edge new models - yet!
Remember: It is not just the datacenter you need to watch - be on the lookout for casual use of virtualization at the desktop. Users will make use of these technologies and create 'black holes' in your environment where your corporate policies do not apply. Use application control and update your AUP to make sensible use of virtualization elsewhere in your corporate environment.

For more information contact your account manager on 0207 760 2800