Most Common Virtualization Security Risks
Just like any other computer terminology and technology, virtualization is one term that is widely used by most of the tech companies. Almost all tech companies embraced and are offering virtualization solutions. They say its more effective, easy to manage, more affordable, and more efficient. But the question is, are virtualized servers more secure than physical servers?
What is virtualization? Simply put – virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system, a server, a storage device or network resources. The usual goal of virtualization is to centralize administrative tasks while improving scalability and work loads.
So going back to my question, are virtualized servers more secure than physical servers? According to Gartners, through 2012, 60 percent of virtualized servers will be less secure than the physical servers they replaced. Although Gartner expects this figure to fall to 30 percent by the end of 2015, analysts warned that many virtualization deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages.
Gartner research indicates that at the end of 2009, only 18 percent of enterprise data center workloads that could be virtualized had been virtualized; the number is expected to grow to more than 50 percent by the close of 2012. As more workloads are virtualized, as workloads of different trust levels are combined and as virtualized workloads become more mobile, the security issues associated with virtualization become more critical to address.
Here are the six most common virtualization security risks according to Gartner:
– Risk: Information Security Isn’t Initially Involved in the Virtualization Projects
Survey data from Gartner conferences in late 2009 indicates that about 40 percent of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.
– Risk: A Compromise of the Virtualization Layer Could Result in the Compromise of All Hosted Workloads
The virtualization layer represents another important IT platform in the infrastructure, and like any software written by human beings, this layer will inevitably contain embedded and yet-to-be-discovered vulnerabilities that may be exploitable.
– Risk: The Lack of Visibility and Controls on Internal Virtual Networks Created for VM-to-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
For efficiency in communications between virtual machines (VMs), most virtualization platforms include the ability to create software-based virtual networks and switches inside of the physical host to enable VMs to communicate directly.
– Risk: Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation
As organizations move beyond the “low-hanging fruit” of workloads to be virtualized, more critical systems and sensitive workloads are being targeted for virtualization.
– Risk: Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
Because of the critical support the hypervisor/VMM layer provides, administrative access to this layer must be tightly controlled, but this is complicated by the fact that most virtualization platforms provide multiple paths of administration for this layer.
– Risk: There Is a Potential Loss of Separation of Duties for Network and Security Controls
When physical servers are collapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels
This is what I am afraid of eversince – companies introducing solutions for the enterprise to adopt without transferring the technology and knowhow in totality. I remember the same happened with data warehousing, data marts and others. It was the in-thing then and everybody jumped into the data warehousing bandwagon only to realize they dont need it or they implemented the solution without really understanding what it is.
At the end of the day, enterprises will have second thoughts in adopting technologies because of issues like this. To those who already implemented virtualization, try your best to secure your virtualized your servers, so that you can continue to enjoy the advantages brought about by this innovation.