Hacking

Virtual Systems, Real Security Holes

As businesses seek new ways to cut costs, IT departments are often placed on the hot seat, and that has fueled interest in virtualization. For example, VMworld 2010, held in San Francisco recently, drew more than 17,000 attendees and saw more than 145,000 virtual machines deployed.

However, as businesses rush to virtualize, they too often tend to sweep security under the carpet, figuring they’ll deal with that problem later.

A survey conducted jointly by Altor Networks and Juniper Networks at VMworld 2010 found that the cost-cutting mindset is pushing organizations toward virtualization at the expense of security and risk mitigation.

“There’s a constant pressure on IT to utilize hardware resources more fully,” Bill Roth, chief marketing officer at LogLogic, told TechNewsWorld.

The Good, the Bad and the Mixed Up

The survey conducted by Altor and Juniper found that IT is conflicted as it struggles to meet needs that may sometimes be diametrically opposed.

“The business benefits of embracing virtualization may be too great, and so enterprises may use some legacy security mechanisms that are already in place and put in the virtualization security after the fact,” Johnnie Konstantas, chief marketing officer at Altor Networks, told TechNewsWorld. “So, while they’re aware of the security risk, they are prepared to deal with it after the fact.”

Some enterprises do take a phased approach to virtualization rollouts, Konstantas pointed out. However, large enterprises that either have a lab where they can test for disaster recovery or are under regulatory pressures often tend to roll out security after they’ve virtualized their systems, she said.

Groping Through the Fog

The notion of planning out a network and laying out security considerations first has been well established in IT, so why is it that many enterprises don’t follow this procedure?

“Traditionally, IT has two big problems — it’s asked to do more with less every year, and it’s asked to do it faster,” LogLogic’s Roth pointed out. He was head of new product development for GSI Commerce, an e-commerce provider that handles Toys ‘R’ Us and the NFL among other major clients, and “those were the restrictions we were under,” Roth said.

Meanwhile, IT often lacks a sufficiently deep understanding of what’s going on in the virtual environment.

“We have a virtual appliance that delivers log management,” Roth said. “What we don’t understand when we get into a cloud or are being run under the aegis of VMware Cloud Director is, what are the security issues between the virtual machines?”

For example, a virtual machine (VM) running office apps may be housed on the same physical sever as a VM that requires strong security. That inadequate understanding can lead to complications. For example, juxtaposition of VMs with different security requirements could lead to security problems because an improperly secured VM may be used by hackers as a springboard to infect other VMs running on the same physical server.

Expect the Unexpected

Much of the time the problem is that IT staffers are treading new ground when they virtualize, so they don’t know what to expect.

“For example, when I create a virtual machine or install a virtual environment like VMware Workstation on my desktop, it creates two more network interfaces that we may not know we have to monitor,” LogLogic’s Roth said. “So virtualization is wonderful, but it doesn’t always deliver exactly what we expect. As you get to the next evolution of computing platforms, there’s always some unintended consequences, and the unintended consequences of virtualization are where the security problems lie.”

Perhaps the best way to cope with that type of uncertainty is to take it in stride and work out ways of dealing with it that don’t require users to make too many changes in the way they work.

For example, about 70 percent of people mix workloads and plan to continue doing so, Altor’s Konstantas pointed out. A solution that goes along with this tendency may work better than one that doesn’t.

“Our view of the world is that this is going to happen, and you should be able to shrink-wrap every virtual machine in layered security and a firewall, and do that in a way that the security follows the machine around,” Konstantas said. “Then you won’t have to worry about mixing workloads.”

Possible Solutions for Security

One of the main barriers to implementing security in the virtualized environment is the lack of proper tools. Major vendors such as Computer Associates and HP have extended their security products to cover the virtual environment, but virtualization experts contend this isn’t enough because the virtual world has a different set of requirements from the physical.

“The rate of change in the virtualized environment is much higher than in the physical environment,” Altor’s Konstantas said. “For example, 55 percent of the respondents to our survey at VMworld 2010 said they experienced change several times a day in which they added to, deleted or changed the content of a virtual machine.”

New tools and approaches designed specifically for the virtual environment are emerging.

Altor is one of the vendors offering new tools. Its products automate the process of monitoring VMs and alerting security when something goes wrong. They also look deep into a VM, enabling IT to implement very detailed policies governing VMs.

“Making granular policies for each and every virtual machine isn’t possible with current offerings because they don’t have the visibility inside the VM host that our tools do,” Konstantas said.

LogLogic, which offers log management, has worked with VMware to create logs for the latter’s Cloud Director product that users can conduct forensics and security analysis on.

Trend Micro recently announced an agentless antimalware module for VMware virtual environments. This is in its Deep Security 7.5 product.

Agentless security ensures that, when you pull up a VM you’ve parked, it automatically is provisioned with the right level of security. Antimalware apps that use agents don’t let you do that because the agent stores the level of security that was appropriate when the VM was parked, and that may be out of date when you call up the VM again.

Another problem agentless security resolves is the occurrence of brownouts. These happen when security operations running concurrently on several VMs on one physical server compete for that server’s resources.

However, products alone aren’t enough.

“The best security plans focus on three things — people, process and products,” LogLogic’s Roth said. “You’ve got to hire good people and know your people; you need the right products; and you have to implement proper processes.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

Technewsworld Channels