My article on Virtualization Security just went live on InformationWeek.com, if you want to read the juicy details (incoluding charts and graphs!), go read the article right now! Security Tips for Virtualization
The article is a summary of the 40+ page report I wrote for InformationWeek Analytics, the research division of InformationWeek. While researching for the report I needed to provide an update on virtualizaiton security that InformationWeek did in 2008, so I had the opportunity to meet and interview a couple CISOs in the cloud, SaaS, and traditional IT roles. It was clear that that is a lot of confusion when it comes to virtualizaiton security but all the CISOs said that virtualizaiton has moved from the test/qa areas into full fledged production and no one could stop it. The benefits far outweighed the security concerns.
So what are you going to do when you are told by IT that the beta virtualization environment is going into production in two weeks? Focus on preventing these common problems:
>> Loose controls: Implement strong change management that is auditable and mandates a separation of duties. The logins used to manage the virtual infrastructure must not have access to anything but the virtualization management software. Also, all virtualization infrastructure changes should be logged, and those logs reviewed by someone not on the virtualization team.
Events such as restarting VMs, creating new VMs, and adjusting hardware should always be correlated to reasons they were done.
>> Shoddy virtual network design: Virtual networks are complex, mainly because of the abstraction. Go slow, use Visio, and map it all out so proper segmentation is deployed and security control points (these are where security controls can be installed) are defined before the virtual network is created. Think about firewalls, IPS/IDS, Web application firewalls, and routing.
>> Unsecured physical data stores: Make sure the spot where your VMs and snapshots are stored is not easily accessible. If an attacker or malicious insider can access your virtual disk files, it’s game over. This includes backups. Don’t put backups of virtual disks on a public file server, ever.
>> Thinking VSAs will solve the problem: You don’t need virtual security appliances to manage most virtualization risks. Is there anything wrong with using your physical IDS/IPS or firewall and trunking the VLANs to the virtual switch? We don’t think so. Use what you have. If you want to add VSAs to address performance problems, fully test the appliances at adequate load before you buy.
>> Believing what you hear in the news is real risk: Don’t be reactionary. Thinking the latest virtualization attack you saw at Black Hat will affect you next week will only result in you having to take some real blue pills to reduce stress. Most of these attacks are still in the theoretical stage and simply aren’t practical for attackers because they don’t deliver quick ROI.
I attended the RSA conference this year, as I always do, and spent most of the time talking with attendees and clients about what they were learning and trends they were seeing. Here is a summary of what we discussed.
Although mobile security concerns seems to be a theme, I tried to dig deeper, and it seems that more than a few people are concerned about the upcoming changes to Facebook’s currency model. Facebook plans to force all users to use “Facebook Credits”. The worry is that since Facebook is on virtually every smartphone in the world, the digital wallet may come to the consumer faster than expected via facebook. The Facebook credits system is similar to PayPal or Google Checkout; however, since mobile phones don’t normally contain identity information they haven’t really been targeted. Once faceobok account can store credits, like a bank account, having a mobile virus or Trojan that steals your facebook login/password will be akin to stealing your bank account username and password. I think we have heard this story before…
The cloud is always a hot topic but it seems as if nothing has changed. It is all about cost savings and whatever cost to security. As Dave, CSO from eBay put it. Vivek Kundra, whitehouse CIO, plans to save over 20billion by moving to the cloud and when you are saving 20 billion, who lets security get in the way?
Other people were more realistic and have conceded that the cloud will happen and they need to have data classification and risk management processes in place to ensure the *right* date moves to the cloud. A couple cloud vendors mentioned that they will need to educate their customers on how to do risk management and data management so that their customers can securely move to the cloud. This is a departure from the “We don’t talk or tell you about our security processes” stance the cloud vendors had last year.
Also, Symantec is making a big splash with their .cloud initative which is a marketing rebranding of all their cloud offerings including cloud based endpoint protection, cloud email encryption and filter, and cloud based web filtering. While the moniker may be funny and many have laughed at it, it is simple and effective. AV.cloud sounds much better than “cloud based anti-virus”. Marketing changes aside, not much has changed in terms of the technology behind the solution but Symantec is committed to heavily investing into .cloud and becoming the premier cloud security services provider in the world.
As I met with attendees and vendors, I asked if CIOs were adding cloud security services into their ROI analysis when moving their data to the cloud, almost everyone said no. Is this an indicator that cloud services don’t apply to the enterprise or perhaps the security CIOs want is ”real security controls” on the platforms, operating systems, and databases in the cloud rather than just moving their security tools from on-premise to the cloud? It seems to me the only people looking at cloud security services is the SMB.
Whenever executives discuss IT and cost cutting, invariably two topics come up: Virtualization and the Cloud. Don’t even get started on the topic of the cloud, and the chance for rain. Virtualization is a good topic to discuss since some items may be unfamiliar to you (especially those in the SMB).
By now, most companies have adopted, or at least looked into, overhauling their IT infrastructure with virtualization solutions. Virtualization is said to reduce costs, simplify management and scalability, and limit the toll computing has on the environment. Since 2005, virtualization software has quickly changed the landscape of enterprise computing.
For those unfamiliar with the concept, virtualization involves abstracting computer resources by combining several physical systems into virtual machines on one powerful system. Virtualization consolidates underutilized hardware, such as servers, storage devices, and network resources, virtually partitioning it for multiple machines.
The reason virtualization has become such a favorable trend in IT computing is probably because the advantages are so easy to grasp. First of all, the physicality of managing hundreds of machines is simplified while allowing for a scalable infrastructure. Plugs and cables do not have to be rearranged every time there is a change in hardware. This reduces the workload of the system administrator. Virtualization allows hardware resources to be pooled such as sharing storage or network bandwidth, so hardware does not go underutilized. Less hardware means less energy costs, both to run and to cool. Altogether, these advantages lower the costs for infrastructure, hardware, power, and cooling.
You’ve probably had the green benefits of virtualization stressed to you. According to VMware, for every server virtualized, you can save about 7,000 kilowatt hours, or four tons of CO2 emissions, every year. Virtualization can cut the power demand of ten machines down to one and save almost 80 percent on an electricity bill. VMware even has a green calculator on their website which allows you to see your virtualization benefits in terms of energy savings, cost reduction and environmental impact. A quick calculation shows that virtualizing 200 servers is the equivalent of planting 4,000 trees.
Of course, businesses are more concerned with reducing costs than reducing the size of their carbon footprints. With this in mind, there are a few disadvantages, or at least pitfalls, that may be created with a switch to virtualization.
But there is a down side – it is likely that performance degradation will occur when switching to a virtualization infrastructure if the virtual infrastructure was not properly architected. (which seems to be the case all too many times we get involved). In most organizations there is often a lack of tools and expertise available to monitor and analyze virtual environments to find and correct issues that affect performance. A study by Aberdeen shows that enterprises that had an 85% success rate in identifying performance issues in a physical environment, now only have a 37% success rate in a virtualized one. Also, improved response time for managing business-critical applications fell from 67% in a physical environment to 39% in a virtual one.
Many enterprises find that there is a tradeoff between decreased staffing and power costs and less than optimal performance. Sometimes this means that the advantages manifested by virtualization are less than expected so ensure you have adequately measured the minimum performance requirements for your infrastructure before you go run off and virtualize everything.