As anyone predicted, the move to virtualization is gradually being adopted by more and more organizations. And why not? It saves space, uses less electricity, and ultimately saves a company more money on their IT infrastructure. What could possibly go wrong?
As it turns out, there are an alarming number of insecure virtual servers out there. A Gartner study from a few years ago suggested the percentage of virtual servers was greater than physical servers (although that percentage has gone down in recent years and I’d say they are about 50/50 now).
Why Are We Ignoring Virtualization Security?
The reason for insecure virtual servers has nothing to do with the inherent concept of virtualization, but rather on how operating teams are naively implementing virtualization.
The aforementioned Gartner survey said that 40 percent of virtualization deployment projects did not involve the information security team involved in the initial architecture and planning stages. This is because operation teams feel like nothing is really changing, the same workload is just moving from a physical server to a virtual one. Or sometimes people think that virtualization is just somehow inherently secure.
Meet the Hypervisor, Your Target for Cyber Attacks
But this assumption ignores the new layer of software in the form of the hypervisor and the virtual machine monitor (VMM) that present new security issues that must be considered. The hypervisor and VMM is introduced to the security picture when workloads are virtualized, and this changes the basic operation of the server – opening up new vulnerabilities.
The hypervisor has privileged access to the system, making it a juicy target for cyber-attacks. If someone can take control of just the hypervisor, they have control of just about everything. This is something that many virtualization deployments are still not paying attention to. Access to the hypervisor must be tightly controlled.
How Can you Make Sure your Virtual Servers are Secure?
To correct this common oversight, an organization’s security team needs to be included in the initial discussion of virtualization of workloads from the very beginning. They need to realize virtualized systems are not inherently secure and they systems require the same type of monitoring as physical systems. Finally, administrative access to the hypervisor must be tightly controlled and monitored.