While there are similarities between bulletproofing the security of physical and virtual machines (VMs), there are some fundamental differences -- such as updating processes -- that can catch IT managers off guard. These best practices for managing security for virtualization can help you shield your VMs from evildoers and users' security blunders.
In my previous tip,
Before we dive further into technical details of securing VMs, it's important to consider the potential security vulnerabilities that are relevant to a particular host and guest OS. Particular questions to ask include:
- Does the guest of host contain sensitive information, such as logon details or sensitive data? If so, how is this information protected?
- Does the VM have access to the Internet?
- Can the VM access other production computers?
- Is the guest OS running a supported operating system version?
- Are host and guest OSes updated automatically?
Answering each question can help clue you in to issues that may need to be addressed. For example, non-networked VMs that reside on a test network will likely have different security requirements from those that are running in a production environment. Let's look at some details.
Implement minimal permissions
A fundamental aspect of maintaining security is to provide users and systems administrators with the minimal permissions they need to complete their jobs. Figure 1 provides an overview of the types of permissions that should be configured.
Figure 1: Types of permissions to consider when securing virtualization
On virtualization hosts, for example, only certain staff members should be able to start, stop and reconfigure VMs. In addition, it's important to configure virtual applications and services using limited system accounts. Finally, you should take into account the real requirements for VM configurations. For example, does every VM really need to be able to access the Internet? If so, what is the reason for this? Remember, in the case of a security breach, you want to minimize the number and types of systems that may be affected.
Virtual machines are still "machines"
Whether an operating system (OS) is running on a physical machine or within a virtual one, it still should be regularly updated. Most IT organizations have already invested in some type of automated patch and update deployment process. With virtualization, there are a couple of additional challenges:
- First, IT departments must be aware of all VMs that are deployed in the environment.
- Secondly, each guest OS must be either protected by the update management solution, or must be kept up-to-date manually. Regardless of the approach, systems administrators should keep in mind the time and effort required.
Enforce consistency and quality
Simpler environments are much easier to manage than ones in which there is a huge variation in the number and types of systems that are supported. Whenever possible, IT departments should create a base library of reference virtual machines from which users and systems administrators should start. These base images should be verified to meet the IT department's policies and must be kept up-to-date.
Of course, it's likely that some workloads require deviations from standard deployments. In those cases, IT departments must remain involved in the deployment of all new virtual machines (or, at least those that will have access to production resources).
Managing moving targets
The process of moving virtual machines between host servers is usually as simple as performing file copy operations. When a VM is moved, it is important for all relevant security settings and options to move with it. For example, permissions set on virtual hard disk files, and network access details, should be recreated on the target platform. Figure 2 provides some examples of relevant configuration settings to consider.
Figure 2: Security-related settings to consider when moving VMs
Security through education
Even though the basic concept of virtualization technology is well-planted in most peoples' minds, users and systems administrators are often confused about the potential use (and misuse) of virtual machines. IT departments, therefore, should verify that their staff is aware of the potential security risks related to deploying new VMs. For most practical purposes, deploying a new VM is similar to deploying a new physical server (though it's often quicker, cheaper and easier).
Using third-party solutions
It's no secret that virtualization technology creates additional burdens related to security. Numerous third-party vendors understand this and have either updated their existing enterprise management tools to include virtualization, or have created totally new solutions with innovative approaches to limited vulnerabilities. The focus of this article is on best practices, but when it comes to implementation, IT departments should consider evaluating these various tools.
Overall, organizations can realize the benefits of using virtualization to improve security.
However, they will need to be diligent in the creation and deployment of new VMs, as well as with
the maintenance of VMs after they're deployed. As with many other IT solutions, you'll need to
focus on management in order to get the best benefits while minimized vulnerabilities. It's not an
easy job, but it certainly can be done.
This was first published in June 2007