Real threats to virtual technology

A lot has been made of the cost-cutting benefits of virtualisation but what are the security risks?

With every new technology comes a new set of security risks. Virtualisation is no exception to this rule, and has already sparked warnings of insufficient application of security protection.

If research from Gartner is to be believed, 60 percent of the virtual machines being used in production environments will be less secure than their physical equivalents by 2009.

Although there are additional risks introduced through a virtual infrastructure, there's no need to throw the security rule book out of the window. The usual suspects, including denial-of-service attacks, software flaws and theft of information, all remain and can be effectively dealt with by using established methods, such as firewalls, intrusion detection solutions (IDS), and effective patch and configuration management, along with rigorous access controls.

Many of the additional risks stem from the mechanisms that are applied to use physical servers as a virtual pool of resource. This means that a security breach on a single server could put at risk not one system but many, and that new target areas for exploitation must be considered.

Virtualisation, therefore, requires additional assessment and the application of appropriate policies, controls and enforcement technologies. The hypervisor, a virtualisation management tool, is often singled out as a new security risk. However, this has been demonstrated to be a highly secure lightweight component. In fact the hypervisor provides a new opportunity for delivering IDS-type services across an entire virtualised estate, resulting in a smaller target area and a simpler solution to manage than some other alternatives.

Locking down access to virtual infrastructure is essential, and should involve role-based administrative controls. The segregation of IT administration duties is key, with different people being made responsible for networks/firewalls, operating systems, security monitoring and the actual virtualisation platform. Furthermore, a rigorous change control process and audit trail will help ensure that any unauthorised modifications to virtual devices can be traced back to the individual responsible.

As well as redefining internal access controls, organisations should consider using application protocol gateways, virtual LANs and network encryption to minimise the exposure of virtual devices to external security risks. Isolating data — either at a SAN or network layer — can also provide additional protection, as can the deployment of a separate management and access network to the virtualisation console.

Although boosting external security defences is important, the integrity of many virtual devices will actually be dependent on the stringency and observance of internal policies. Internal security threats remain the biggest risk to IT security — both physical and virtual — and, with the increased use of handheld devices, corporate data — and even servers — could be transferred from the virtualisation platform to a USB stick or an iPod.

Preventing such breaches, however, is more about common sense and policy enforcement than investing in yet more security technologies. Although security best practice has yet to be defined for virtualised environments, IT managers can address new vulnerabilities by building on their existing security foundations and exploiting the new opportunities that virtualisation presents.

Security risks to virtual devices can be contained and controlled, as long as you keep an open mind and understand the increased complexity.

Colin Bradford is the data centre and storage solution unit practice leader for Computacenter Services