Securing the Virtual World
There has been a rapid adoption of virtualisation technologies by businesses in recent times in order to decrease costs and improve efficiencies and availability of IT resources as well as conserve energy.As with all new technologies that become prolific throughout the IT industry in a short space of time, there is uncertainty around the security concerns of virtualised environments. In most cases, deployment of virtualisation is considered more important than taking appropriate security measures, which can prove to be a risky move in the long term.There seems to be a lack of consensus within the IT industry whether virtualised environments are fundamentally no less secure than physical ones, and that virtualisation can actually enable better security. The bottom line, however, is that virtualisation platforms are software and all software can have flaws. It is how we thoroughly plan and introduce proper policies and IT strategies to secure these platforms that will eventually mitigate the risk of attacks.Why Virtualise?Virtualisation makes it easy to build and deploy new releases and put changes into production. Service providers have also used virtualisation to respond to customer demands and provide capabilities such as instant provisioning, as well as the ability to offer the isolation and manageability of dedicated hosting without reserving expensive hardware for each customer. Today, these capabilities are prerequisites to achieving the elasticity and flexibility of private and public clouds.The ‘Big’ question of what’s in it for me?Virtualised platforms have the potential to significantly lower IT costs by moving to a virtualised infrastructure. According to a CIO Research Survey, the top five reasons customers move to virtual servers for their applications are:
- To cut costs via server consolidation (81%)
- To improve disaster recovery (DR) and backup plans (63%)
- To provision computing resources to end users more quickly (55%)
- To offer more flexibility to the business (53%)
- To provide competitive advantage (13%)
- Information security isn’t initially considered in virtualisation projects.
- A compromise of the virtualisation layer could result in the compromise of all hosted workloads.
- Workloads of different trust levels are consolidated onto a single physical server without sufficient separation. Adequate controls on administrative access to the hypervisor (Virtual Machine Monitor) layer and to administrative tools are lacking.
- There is a potential loss of Separation of Duties (SOD) for network and security controls.
- Perimeter enforcement – protecting the "inside” from the "outside” – with network architectures that are built on this separation.
- All traffic flows over physical networks, so security can be implemented by interposing physical devices on the wire
- Network architectures blur the "perimeter” with private resources spanning locations in arrangements leveraging VPNs.
- An all-or-nothing, inside-vs-outside approach does not take into account the need to protect information, regardless of location.
- Multiple organisations and applications within a business, and multiple businesses hosted by a service provider, can be on the same side of a physical perimeter thereby complicating matters.
- Compliance and privacy requirements make it necessary to offer security and auditability between entities within the same virtual infrastructure.
- Mobile users can easily bring malware into a shared infrastructure.
- For service providers, the ability to offer full protection is even more critical when multiple customers are hosted on the same server farm – or even on the same server.
- Physical appliances cannot offer in-line protection in a dynamic virtual infrastructure.
- High-availability and live motion capabilities can mean that applications do not always run on the same physical servers.
- Traffic can pass over virtual-only networks within a server, making it impossible to interpose a physical device.