This data confirms what we already know: Virtualization has been top of mind for IT professionals such as enterprise architects (EA) as well as IT infrastructure and operations professionals (I&O) for years. What about security professionals? Has it been top of mind for them? Many chief information security officers (CISOs) are not aware of the virtualization security risks, while other CISOs are very concerned about their virtual environments but don’t always have the authority or the influence over I&O to enforce policy or implement new security controls.
Security Incidents In a Virtual Environment Can Be Disastrous
Let’s consider the recent security incident at the Japanese pharmaceutical company Shionogi. In February 2011, a terminated IT administrator, Jason Cornish, used a service account to access the company’s network. Once connected, he used an unauthorized installation of VMware vSphere to delete 88 virtual servers. According to the criminal complaint: “the deleted servers housed most of Shionogi’s American computer infrastructure, including the company’s email and BlackBerry servers, its order tracking system, and its financial management software. The attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, cut checks, or communicate by email.”
Security professionals are playing Virtualization Catchup
While I&O professionals have rapidly virtualized the environment to reduce costs and improve flexibility, security professionals have remained on the sidelines — either by choice or because I&O has marginalized them. This is true regardless of the size of the organization. Our research interviews with IT professionals in enterprise architecture, IT operations, and security revealed several troubling themes:
- Business as usual is the status quo. IT departments rely upon traditional security solutions to secure their virtual environments. For example, they use endpoint security agents and network security devices designed for physical environments to secure virtual workloads. One security leader said, “We rely on our existing solutions; we haven’t yet altered our approach for the virtual environment.”
- Many security pros aren’t aware of the available solutions. We found that most security professionals have very limited knowledge of the efficacy and availability of virtualization-aware solutions that can more effectively secure their virtual environments. One CISO we spoke with wasn’t aware that his organization’s current antivirus vendor offered an endpoint virtualization solution.
- Many security pros have a general discomfort with virtualization. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren’t as confident in their virtualization knowledge as they would like to be. This is particularly the case when we compare virtualization with more mature security areas, such as network security. One CISO remarked, “We haven’t touched this technology as much as we’d like, and we have to physically sit at the console next to operations to see the environment.
Everyone Knows Virtualization’s Benefits — But Not Its Risks
Lower total cost of ownership (TCO), flexibility, improved high availability and disaster recovery capabilities, and faster time-to-market are just a few of virtualization’s benefits. However, all IT professionals — most importantly, security professionals — need to have an understanding of the risks. These include:
- Limited visibility into intra-virtual-machine traffic. Depending on your network architecture, virtualization can create blind spots in your network, and many security professionals don’t have the tools to inspect intra-virtual-machine (VM) communication (i.e., traffic between two virtual machines on the same virtual server). All of the security professionals we interviewed rely upon traditional network security devices, but if the intra-VM traffic never routes through the physical network, how can you inspect it? Our interviews revealed that many CISOs aren’t comfortable with the level of visibility they have into their virtualized environments. One CISO stated, “I know I am wearing rose-colored glasses; we just haven’t looked into this.”
- Increased vulnerability to insider threats. The Shionogi incident illustrates the significance of the insider threat. The collapsed nature of virtual environments exacerbates the impact of insider threats. Forrester estimates that almost half of security breaches were the result of so-called “trusted” insiders and business partners — whether their actions were malicious or unintentional. We can’t forget about this scenario — the well-meaning employee who clicks in the wrong place at the wrong time. As the statistics indicate, this is a much more likely situation than a malicious insider. The insider threat elevates privileged user management to a whole new level: “I’ll see your domain admin and raise you one virtualization admin account.” In our interviews, we found that the majority of IT professionals have relatively flat administration roles with excessive permissions. An enterprise architect from a large multinational corporation told us: “Our administrators have complete access to the environment; all admins have access to all zones. We realize it isn’t ideal.” You don’t want to gamble with your privileged users; the administrator is the weakest link.
- The inability to maintain security controls in a dynamic environment. Change and configuration management can be challenging in a virtual environment. Even the most junior of IT professionals can quickly provision and delete a VM, and VM sprawl is a reality for many organizations. Additionally, how can you be sure that you have scanned offline VMs for vulnerabilities and patched them? Technologies such as live migration help organizations harness the power of virtualization and make the environment extremely dynamic. Today, 50% of enterprises use live migration, and 13% are planning to implement it in the next 12 months. How confident are you that when an IT pro migrates a guest VM from one virtual server to another that its security posture follows?
- An increased compliance footprint. Virtualization also increases our compliance efforts. As with any new technology, the auditors are playing catchup. In June 2011, the PCI Security Standards Council issued its first guidance on virtualization security, and you can expect challenges as auditors interpret and organizations attempt to comply with the PCI DSS Virtualization guidelines. There is inconsistency among Qualified Security Assessor (QSA) firms; some firms permit virtual mixed mode segmentation, while others do not. You can also expect other compliance organizations to follow PCI’s lead and offer guidance on virtual environments.
- The requirement to secure more layers of infrastructure and management. Virtualization brings new layers that we must secure. We have additional infrastructure and management layers to protect as well as the hypervisor itself. If an insider or cybercriminal compromises either, all bets are off. Virtual systems aren’t unique and are just as vulnerable as any other system running code. If it runs code, someone can compromise it. In 2011, VMware had released 14 security advisories as of December 17. In its X-Force 2010 Trend and Risk Report, IBM researched 80 vulnerabilities and found that more than 50% could compromise the administrative VM or lead to hypervisor escapes (see Figure 2). In previous research, we addressed the security of the hypervisor and concluded that it introduces some marginal risk to the server environment but that concerns are largely overblown. As the CISO of one large manufacturing company put it: “Am I worried about hypervisor attacks? Absolutely, but they are very low on a long list of more likely scenarios.”
Other Sections Available in the Full Download
Better Late Than Never: Here's How To Get Into The Visualization Security Game
Increase Your Team’s Virtualization Knowledge
Stick To Your IT Colleagues Like Glue
Supplemental Material