Gartner: Vritualization Risks and my rebuttal

Here was my internal response to the Gartner Virtualization Risk paper, an excerpt from Gartner’s Intro: (Gartner’s comments in italics)

“Virtualization, as with any emerging technology, will be the target of new security threats,” said Neil MacDonald, vice president and Gartner Fellow. “Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won’t provide sufficient protections for VMs.”

XXX infrastructure team has consistently taken the best practice approach to applying new technologies into our environment. Our security of virtual machines is based upon our practices for securing the physical servers – namely admin granularity, patch currency, and implementation security of least privilege. Virtualization certainly represents a new layer of complexity to the technical aspects environment, but security of data on the virtual machine remains essentially the same. Unlike Gartner’s assertion, much of the existing processes and procedures already in place will maintain our existing security level.

During this process, organizations must consider these security issues in virtualized environments:

  • Virtualization software, such as hypervisors, represent a new layer of privileged software that will be attacked and must be protected.

Patching the Hypervisor (vmkernel) is currently done on a routine basis, and the virtualization layer is subject to the same patch strategy recommendations, which all servers are subject. Our security department routinely evaluates that security vulnerabilities, which are released, and makes the recommendation on our risk/vulnerability assessment. The security department additionally conducts vulnerability scans on each new ESX host before being implemented into production for security vulnerabilities. This assessment has proven invaluable to discovering prior vulnerabilities, which is much more positive approach than highlighting a concern without possible mitigation.

  • The loss of separation of duties for administrative tasks, which can lead to a breakdown of defense in-depth

The same capabilities for granularity of administrative access for virtual machines and their environment exist within the virtual environment as implemented through VirtualCenter. XXX also relies upon published processes to control procedures that administrators can perform, and the ability audit those procedures are possible. It is combination of both limited privilege and auditing that provides greatest ability to ensure appropriate actions are taken and controls are maintained.

  • Patching, signature updates, and protection from tampering for offline VM and VM “appliance” images.

XXX does not typically maintain offline VM or VM “appliance” images. However, the same risk relevancy would be similar to offline physical servers and other physical appliances in our environment, such as Infoblox appliances. In each case, the server team has created processes to enumerate and evaluate the risks versus the benefits of packaged best of breed solution. The vendor of appliance images remains responsible for maintaining the currency of security, and their responsiveness to security vulnerabilities would be part of the evaluation approach. The quality of an appliance is directly related to continued vendor support as is the case for any application.

  • Patching and secure confirmation management of VM appliances where the underlying OS and configuration are not accessible.

As mentioned above, XXX has not implemented any virtual appliances.

  • Limited visibility into the host OS and virtual network to find vulnerabilities and assess correct configuration.
  • Restricted view into inter-VM traffic for inspection by intrusion prevention systems (IPSs).

Both of the above statements relate to the virtual switches which exist within a virtual environment. There is perceived difficulty in being able to tap into those switches with existing IPS devices. We currently do not implement network-based monitoring within its switching network. Currently, host based IPS monitoring is our preferred approached using the host-based detection and monitoring at security boundaries. This is not to say within the virtual environment implementing network-based monitoring is impossible. There are current solutions (Blue Lane) for providing that functionality if ever required.

  • Mobile VMs will require security policy and settings to migrate with them.

All VMs security is granted within VirtualCenter and transfer wherever the virtual machine is migrated. Transfer of confidential company data, whether it be within a virtual machine or as a collection of files, are covered by existing company’s policies and processes.

  • Immature and incomplete security and management tools.

We have implemented the best of breed management tool in VMware VirtualCenter, which provides granular rights administration necessary to provide limited access to the virtual machine to application admins and restrict their ability to the rights required.

Technorati : , , , , ,


No comments yet to Gartner: Vritualization Risks and my rebuttal

  • Virtualization in itself isn’t any less secure than a physical environment. However, it does introduce new factors that require new thinking and new solutions/approaches. VM sprawl is a real risk if environments aren’t properly managed. There are levels of mobility (vmotion) that can break/erode the capabilities of static security solutions (firewall IP address rules, IDPS sigs); and stacks variety will certainly add new dynamics to regression testing.

    With proper planning and mission-capable solutions one can deliver superior security. I think Neil’s point is that many have virtualized production environments without proper planning or solutions in place and have simply assumed that “everything is the same”… which it isn’t.

    Here is a link to my blog on the topic:

    Greg Ness
    Blue Lane Technologies