In The Rush To Virtualization, Many Clients Forget Security

The benefits of virtualization are by now well-documented: consolidation of real estate, lower cooling costs that equals power saving and more efficient disaster recovery, not to mention the fact that virtualization provides opportunities for VARs to consult, install and provide ongoing maintenance.

But as the rush to virtualize continues to push the technology mainstream, solution providers need to be sure they're taking the same approach that they would with any emerging technology: identifying and containing security risks.

"Because of the rush to adopt virtualization for server consolidation efforts, many security issues are overlooked, best practices aren't applied and in some cases, the tools and technologies for addressing some of the security issues with virtualization are immature or non-existent," according to Neil McDonald, vice president and fellow at Stamford, Conn.-based consulting firm Gartner Inc. McDonald believes that through 2009, more than 60 percent of virtual machine deployments in production will be less secure than their physical counterparts.

"Based on conversations I've had with clients, 90 percent of the time they haven't thought through technology tools they need to purchase to plug security gaps," he said.

Simon Herring, founder of Columbus, Ohio-based security solution provider Jacadis LLC, said he has encountered the same problems.

"At a high level, I am seeing our clients adopt virtualization to decrease their investment in hardware, as well as the maintenance involved in multiple physical platforms," Herring said. "This makes great sense. But the ease with which new guests' operating systems can be created presents security challenges. Out of sight is out of mind. If it's high on people's adoption list, it's also high on the adversary's list to decompose, analyze and identify ways to attack."

The Hidden Threat
The National Vulnerability Database (NVD) is the U.S. government's repository of standards-based vulnerability management data and part of the National Institute of Standards and Technology (www.nist.gov). According to NVD's most recent data, security vulnerabilities or manipulations in a virtual environment may include denial-of-service attacks, memory exhaustion, remote attackers that execute arbitrary code via vectors, memory corruption around de-duplication of user IDs and vulnerabilities that cause user passwords to be recorded in clear text in server logs, which could enable local users to gain privileges.

In February 2008, Boston-based security software provider Core Security Technologies Inc., discovered that Palo Alto, Calif.-based VMware Inc.'s desktop virtualization software had a serious security flaw. A mechanism was discovered in VMware's shared folders that granted users of a Guest system read and write access to any portion of the Host's file system—including the system folder and other security-sensitive files. Exploiting that vulnerability allowed attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.

"What's most relevant about this vulnerability is that it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Core Security CTO Ivn Arce in a statement. "This vulnerability provides an important wake-up call to security-concerned IT practitioners. It signals that virtualization is not immune to security flaws and that 'real' environments aren't safe simply because they sit behind virtual environments."

For their part, VMware said that when it comes to virtualization security flaws, the market tends to have a "knee-jerk reaction."

"This is the same thing we've been hearing about for years," said Nand Mulchandani, VMware's senior director of product management and marketing. "There are a lot of misconceptions—virtualization security problems are not much different from the physical server environment. As [Gartner's] Neil McDonald said, a lot of people in the industry haven't thought it through and the biggest threat is from misconception and misuse."

McDonald said he disagreed with VMware's views on the subject.

"Actually, what I said was that the problem lies in misconfiguration and mismanagement," he explained. "It is a mistake to say that everything is the same as in the physical world, and VMware compounds the problem if they say virtualization security flaws are the same and ignoring this puts people at risk."

Next: A Layered Approach