Planning virtualization and mobile technology security strategies often challenge experienced IT pros. Both virtualization and mobile technologies have rapidly become mainstream, resulting in more daunting and pervasive security challenges. Mobility has also opened up new frontiers for virtualization security.
Organizations have found that simple changes to administrative practices can help plug security gaps. But the complex framework underlying a virtual infrastructure often necessitates new, purpose-built applications to bring dramatic improvements in security.
Virtualization environments can be secured in multiple ways, according to Dave Shackleford, founder and principal consultant of Voodoo Security. Admins may choose to implement basic patching and configuration management practices or more complex virtual firewall and intrusion detection appliances.
Finding your approach to virtualization security
Shackleford, who is a leader in the Atlanta chapter of the Cloud Security Alliance, noted that there are multiple points at which security can be considered in a virtualized environment -- virtual machines, virtual networks, hypervisors and the management system -- and that there are different strategies to consider for each.
Virtual machines (VMs) are a set of files that represent a physical machine," said Shackleford, and a lot of organizations are starting to realize that VMs represent a considerable security risk because, instead of having servers in racks in a data center, you have full systems being run from across a storage area network (SAN).
“[Businesses] are noticing they haven't done a lot to secure those SANs,” he said. For example, VMs sometimes have a separate file for active memory in the case of VM snapshots or backups. When credit cards are being processed, for example, this sensitive data may reside in the memory file, potentially allowing an attacker to "pull numbers right out if they gain access to the file," Shackleford said.
In response, some organizations are starting to implement encryption -- both VM-specific as well as for the SAN or storage resources.
Numerous scripted and commercial techniques exist for auditing and applying common configuration controls, like those described in the VMware or Center for Internet Security hardening guides. There are also commercial tools for applying centralized configuration policies and managing user and group administration roles, said Shackleford. Most major security and network vendors have created or adapted virtual network security products that can analyze traffic to and from the virtual environment, as well as traffic between VMs and applications within the virtual infrastructure, he said.
Coordinating IT teams for better security
There's plenty happening in terms of management, too, Shackleford said. In fact, he noted, security and operational teams may have benefited from virtualization, because it has created a central area where they can use virtual templates and attach toolkits from VMware or other platforms to facilitate patching.
"That's a big improvement, because that has always been a huge challenge in large, distributed environments," Shackleford said. He points to VMware's recent acquisition of Shavlik Technologies, which had a sophisticated patch management capability, as the beginning of a trend. That will allow updates to all virtual components and VMs from one console.
On the other hand, notes Shackleford, anti-malware and antivirus have been a challenge to administer and operate in virtualized environments. In particular, there has been a challenge with VMs, because they share resources. "If [the VMs] are all running on one hypervisor and sharing one hypervisor cluster, one set of CPUs and one set of memory resources, traditional agent-based malware solutions haven't worked well -- they are simply too resource-intensive," he said.
Virtual and mobile technology security resources
Protecting the data center with virtual security tools
Emerging mobile security technologies
How to secure your VDI
There is some progress on this front, though. McAfee Inc. and Trend Micro now have methods for centralizing antimalware processes for multiple VMs, too, Shackleford said. These newer approaches are not mature, he said, but "the capability is definitely moving up the curve."
Finally, for companies using virtualization management components, those remain "probably the least secure -- it is an Achilles heel," Shackleford said. Virtualization teams need to focus on securing those systems because if someone gets hold of them, it is Game Over. Inadequate authentication controls, lack of patching and poor configuration practices will make these components vulnerable to attack. Properly locking them down by ensuring strong authentication controls -- often with passwords -- will go a long way to improve security.
Locking down the hypervisor
Hypervisors, too, are starting to be better understood in terms of security challenges. "If you look at the VMware hardening guide, there are many controls available for locking down the hypervisor and there are more ways to do it -- through scripting solutions and configuration platforms," Shackleford said.
VMware also offers a "host profile," which is a template for hypervisors. Admins can then use that gold build as a standard for other builds, which can simplify management.
Microsoft's Hyper-V has only had one or two minor vulnerabilities, according to Shackleford. "You can use their System Center Virtual Machine Manager platform to efficiently handle all of that, and they are building in a lot of automation capability," he said.
What has been lacking for both Microsoft and Citrix has been accessible information on how to lock down the hypervisor, Shackleford said. Currently few hardening guides are available for these systems.
Adapting security to virtual networking changes
The virtual network arena is changing because there is now a software-defined networking (SDN) space emerging, which means there can be full software-based network control systems across private clouds. That "gets rid of the hardware constraints and the feeds-and-speeds approach to management," Shackleford said.
Today’s firewalls and security platforms are specifically focused on the requirements of providing security in virtualized environment. VMware's vShield App, for example, integrates into the VMware kernel and provides extensive application filtering. Meanwhile, VMware has vShield Edge for firewalling and a distributed virtual switch for port mirroring and traffic monitoring, and Cisco's enterprise-class Nexus 1000v is able to integrate with VMware and now in Beta for Hyper-V, said Shackleford.
"[Virtual switches] are starting to mimic capabilities found in traditional enterprise switches," Shackleford said.
Mobility and virtualization security hurdles
In addition to the traditional focus inside the data center, experts say there is also a virtualization security challenge related to mobile devices.
For instance, virtualization, at both the desktop and application level, can allow IT leaders to mitigate data security risks by preventing end users from downloading applications to mobile devices, said Brian Rapp, senior director of sourcing solutions at Xchanging.
Virtualization allows IT security to push content and data to the end user's mobile devices, which avoids the potential security risk of users downloading applications. "This way, IT leaders control content on the network layer where IT has more centralized command, control and flexibility," said Rapp.
Kevin Lawrence, senior security associate at Stach & Liu, which provides enterprise security consulting, auditing and testing services, said virtualization can provide new help for the challenges of mobile device security.
The traditional approach is "treating every endpoint like a traditional IT asset," requiring the same types of controls on a phone, tablet or laptop that the traditional workstation may require. However, Lawrence said, a more effective solution is virtualizing all data access. "If your BYOD endpoint is accessing a server or virtual workspace to manipulate or store data, it never is actually stored on the device," he said. Various companies are adopting both solutions, depending on their resources.
Finally, dual-persona methods are starting to appear, said David Schwartzberg, senior security engineer at Sophos, a security software company. With that approach, an administrator is able to set secure policies for the work side of a device. There are different approaches to dual persona, such as segregating applications or system resources or using a container to separate user data from corporate data, he noted.
"VMware Horizon Mobile is an example of using a hypervisor to virtualize the persona of a mobile device," Schwartzberg said. That's another way in which virtualization can serve security -- and efficiency.
Security is an ever-changing challenge in today's virtualized world. And along with technology changes, don't forget the human side of the equation, Shackleford said. "It helps to get the IT team, the virtualization team and the storage team on the same page regarding security."