Virtualization will become dominant in enterprises, but the security risks are fuzzy at best. Meanwhile, the usual defense--firewalls, security appliances and such aren't ready for virtualization.
Those are some of the big takeaways from a ThinkEquity report by Jonathan Ruykhaver. Another big takeaway is that enterprises could put off virtualization in the data center because of worries about security risks. Ruykhaver's conclusion is a bit of a stretch for me--I have never heard any technology executive wonder about virtualization security. If anything, virtualization will be in place before anyone notices the security issues. There's something about saving so much on hardware, easy server provisioning and more IT flexibility that overshadows any security worries.
Nevertheless, Ruykhaver's report is noteworthy because it frames the virtualization security issue (all resources). Some key points to ponder:
Server virtualization can aid security, but virtualized environments bring their own headaches. To wit, security threats can originate externally and internally in a virtualized environment. These "intra-host threats" can elude any existing security protection schemes.
Since these virtualized security threats are hard to pin down "this can result in the spread of computer viruses, theft of data, and denial of service, regulatory compliance conflicts, or other consequences within the virtualized environment," writes Ruykhaver.
Hypervisors introduce a new layer of privileged software that can be attacked. The hypervisor operates like an operating system and could require patching. If a hypervisor needed to be patched all virtual machines would have to be brought down. Ruykhaver points out:
One compromised virtual machine could infect all Virtual Machines on a physical server. An attack on one guest virtual machine escaping to other virtual machine's resident on the same physical host represents the biggest security risk in a virtualized environment, in our view. If, or when, attacks focused on virtual machines become readily available, the attacker potentially only has to spend time attacking one virtual machine, which could lead to compromising other virtual machines over a closed network, and eventually escaping the virtual VMM environment and accessing the host. In a typical attack scenario, an attacker has to focus its attacks on one machine at a time, regardless of its intent: "Attack one machine to inflict harm on that one machine." Virtualized environments remove that restriction and create a one-to-many attack scenario: attack the host, own the guests-or even attack one guest, possibly own them all. Hence, we believe the biggest security risk with virtualization is these "guest-to-guest attacks," where an attacker gets the root or administrator privileges on the hardware, and then can hop from one virtual machine to another. If the hacker owns the hypervisor, he/she owns all data traversing the hypervisor and is in a position to sample, redirect, or spoof anything. Without some form of fail-safe, guest operating systems would have no way of knowing they are running on a compromised platform. This "hyperjacking" scenario is particularly frightening if we consider large-scale virtualization platforms that offer 10, 50, even hundreds of hosted servers running on a single piece of hardware. The potential risk for loss of control and revenue is considerable.
Not enough attention has been paid to patching and confirming the security of virtual servers. Has anyone thought through what it would be like patch a virtual infrastructure?
Communications between virtual machines are likely to be popular attack vectors. Virtual machines have to communicate and share data with each other. If these communications aren't monitored or controlled they are ripe for attack, notes Ruykhaver.
There's money to be made in virtualization security. Some of the private companies worth checking out include Blue Lane, Reflex Security and Catbird Networks. BlueLane's flagship product, VirtualShield, finds virtual machines and updates and patches them. Reflex Security's approach creates a virtualized security appliance and infrastructure. Catbird has a VMware certified virtual appliance dubbed V-Agent. IBM and VMware are also developing secure hypervisor technology and ways to lock down virtual machines, respectively.
Bottom line: Ruykhaver's take is that it's just a matter of time before a major vulnerability or threat in virtualized environments emerges. Today, the virtualization security risks are low, but that that could change in a hurry.