AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Wednesday, February 18, 2009
Emphasizing Virtualization Security
Perhaps companies figure so much attention has been given to virtualization that if it was not secure they'd hear about it in the press. Because it appears that at many organizations virtualization security has been "back-burnered."
The truth is businesses in the real world can't always take a strict engineering approach to security, and they adopt a more practical risk management approach. The first tenet of good risk management is to deal with the greatest risks first, and today there are a lot more holes in applications than anywhere else. So putting your money into application security has been a pretty good bet thus far.
But another tenet of good risk management is to project what your risk landscape will look like in the future, and that's where there is increasingly cause for concern. As virtualization becomes more prevalent, the payoff for criminals to compromise the hypervisor is increasing very quickly, which means that our risks there will be ballooning soon as well. Virtualization more-or-less pushes the entire OS and network stack up into the "application security" space, and so it makes sense to rethink our security programs and shift the focus into hypervisor security, because that's where our operational risks are migrating.
When it comes to securing the hypervisor the same architectural principles of good security still apply (defense-in-depth, fail-safe rather than fail-open controls, etc...), but it can be a bad thing if we don’t realize we need to apply those rules to the newer virtualization layers as well. Taking the same old approach at the host level can lead to a false sense of security because new threats do exist (meta-attacks on the hypervisor).We are manipulating the entire host as a stream of bits, and this pushes what was previously only physically accessible into the realm of software accessibility, increasing the baseline risk of exposure for each system.
This doesn't invalidate the need for host level security as part of an appropriate defense-in-depth strategy, but it does mean that resources should be rebalanced across the categories of threats a system faces. The reality is that for any new structural layer we add to our IT systems, such as virtualization, we also face new categories of threats. The mistake many enterprises make is thinking that virtualization gains us something for nothing, but there are always trade-offs. But it’s also true that those trade-offs can be managed with an intelligent approach.
-- Chris Healey, Senior Consultant, Akibia