'

Virtualisation 'next frontier' for hackers

Industry observers have warned that business are unprepared for increasingly significant threats to virtual machines

Virtualisation, with its rapid pace of adoption, is becoming a focus for attackers, but not all businesses are aware of, or act on the risks adequately, according to market observers.

Graham Titterington, principal analyst at Ovum, told ZDNet Asia in an email interview that, with the increasing prominence of virtualisation, threats to virtual machines (VMs) are becoming more significant.

"There is little evidence of attacks on the foundation layers of virtualised environments yet, but we need to be vigilant as attacks will surely come," he noted.

"Virtualisation [can offer] the attacker the bonus of taking down many VMs with one attack, if successful. There is also the risk of attacks on the information held in all the VMs sharing the same physical platform if hypervisor security is broken," said Titterington.

Ronnie Ng, Symantec's manager for systems engineering in Singapore and Indonesia, concurred with Titterington's assessment. "While actual hypervisor breaches are still rare, there is still the potential threat of the hypervisor layer being compromised, putting at risk all the virtual servers running business applications," he said in an email.

The key problem with the growth in adoption of server virtualisation, Ng explained, is the lack of control — or 'VM sprawl' — in the datacentre. The ease of deployment of virtual servers makes it difficult to audit and enforce security policies, noted Ng.

Benjamin Low, managing director of Asia South at Secure Computing, added in an email that the mobility of virtual environments and the fact that VMs can "hide" when they are not active make it difficult for traditional network-security tools to monitor and control traffic within virtual networks.

Acknowledging that it would be a matter of time before hackers act on "unprotected vulnerabilities that the technology presents", he warned: "Virtualisation may become the next frontier for black hats."

Virtual defences not adequate
According to Andrew Milroy, research director of the ICT practice at Frost & Sullivan, it is not so much the tools that need to be changed, but the mindsets of businesses in relation to virtualisation security.

"It's not that you need brand new security products… It's just the way the security products are deployed and managed," he said in a phone interview. "From our perspective, it's really a cultural change and understanding of how to deploy the security products more effectively in a different architecture."

The analyst added that greater awareness and education needs to occur, as there is "always a lag for organisations getting onto the security implications of new implementations".

Secure Computing's Low noted that, at times, enterprises rush into implementing virtualisation and relegate security to an afterthought, or purchase security tools that do not meet their needs.

"Some system administrators may be lulled into thinking that, because something is running virtually rather than physically on a server, the same level of attention to risk management, security policies and compliance, such as OS hardening, is not necessary," Low said.

Ovum's Titterington said: "Until recently, security-product vendors claimed to secure virtual environments if their products were capable of running in a compartment — a virtual machine — within a virtualised environment. This protects the application running in that compartment but overlooks the possibility of the wider environment disabling the virtual machine."

In addition, the technology to defend virtual environments is only "partially available", Titterington noted. Citing VMware's VMsafe, he pointed out that the initiative was unveiled in February and security vendors are still in the process of "developing products to work with this".

Secure Computing, according to Low, has developed security gateway virtual appliances including virtualised Secure Firewall, Secure Web and Secure Mail based on the VMsafe API (application programming interface).

To improve the security of virtualised environments, Frost & Sullivan's Milroy said companies need to ensure passwords of VMs are varied enough, and that their IP addresses are not sequential. Servers and operating systems on the host should also be kept "to an absolute minimum", he added.

"If you keep the same security policies and software in a virtualised environment, your risks will go up," said Milroy. "It's not to say you'll be a sitting duck — it's just [more risky] because there's so much in one machine, [so], should that one machine be broken into or infected by something, then the consequences are more severe than if you have many more [physical] servers."