DATA CENTERS

  • 05/07/2015
    8:00 AM
  • Rating: 
    0 votes
    +
    Vote up!
    -
    Vote down!

Top 11 Virtualization Risks Identified

The Cloud Security Alliance releases a guide to the most common risks of server virtualization and provides best practices on how to address them.

Some enterprises overlook the need to protect their virtualized environments, thinking they're inherently more secure than traditional IT environments. Others use the same tools they use to protect their existing physical infrastructure to secure their virtual infrastructure. Both are treading on thin ice, according the Cloud Security Alliance.

"The bottom line, though, is that the new environment is more complex and requires a new approach to security," the CSA said in its new report, "Best Practices for Mitigating Risks in Virtualized Environments."

In the report, the industry group lists 11 virtualization risks and provides advice on how to address them. The report notes that the guidelines address server virtualization security, not network, desktop, or storage virtualization. The CSA plans to address other virtualization technologies in future reports, including one on NFV and another on storage virtualization, Kapil Raina, co-chair of the CSA Virtualization Working Group and head of product marketing at cloud security company Elastica, said in an interview.

The 11 risks cited in the paper are the most common relative to compute virtualization, regardless of vendor or architecture, he said. They fall into three general buckets: architectural, hypervisor software, and configuration:

  1. VM sprawl
  2. Sensitive data within a VM
  3. Security of offline & dormant VMs
  4. Security of pre-configured (golden image) VM/active VMs
  5. Lack of visibility and control over virtual networks
  6. Resource exhaustion
  7. Hypervisor security
  8. Unauthorized access to hypervisor
  9. Account or service hijacking through the self-service portal
  10. Workloads of different trust levels located on the same server
  11. Risk due to cloud service provider APIs

While the list isn't ranked in terms of risk severity, Raina said VM sprawl is particularly prevalent. It's so easy to create virtual machines and push them out, but various configurations and frequency of updates makes VM management complex, he said.

"With VM sprawl, you duplicate machines, then forget about them or they're isolated on the network. Once you bring them up, they may be several weeks or six months behind in terms of patching and security. That creates a vulnerability," he said.

"We find that to be a process deficiency in many organizations. For us in the practitioner world, the weakest link is how hackers get in, and unfortunately this is one area that thieves take advantage of," Raina added.

To mitigate the risk of VM sprawl, the CSA recommends organizations consider a range of tactics, including implementing policies and processes to control VM lifecycle management, controlling the creation and use of VM images with a formal change management process, and setting aside a small number of solid, updated images of a guest operating system to use for fast recovery.

The CSA report notes that some organizations are complacent about virtualization security because there haven't been any known successful attacks on hypervisors except for theoretical ones that require access to the hypervisor source code. Still, maintaining hypervisor security is paramount.

"If you can manipulate the hypervisor, then you don't have to attack each VM and go through the infrastructure and security of each VM," Raina said. 

"Although it's consolidating [systems] and making life easier for many people and the economics are there, virtualization also allows hackers to use fewer points of entry," he added.


Comments

VM sprawl

I've heard about the security risks of VM sprawl for a few years now. Have community members found any methods they find most effective to deal with it?

Re: VM sprawl

One way to manage VM sprawl is to use appropriate life cycle management tools or automation tools to find inactive VMs, and those are often available from virtualization vendors or 3rd parties.  But the real thing to look at is to set up an appropriate governance policy.  If you give people the ability to self-provision VMs with no penalties, then you will get lots of VMs that are stashed away. But if you do appropriate charge-back, or set up expiration policies, it will help create discipline.

 

Re: VM sprawl

I see Dan, thanks. Yes, a governance policy seems like the best way to tackle this. From what you've seen, who in an organization is usually in charge of implementing it? I can see the potential for pushback.

Re: VM sprawl

Governance can come from a team that has representatives from virtualizaton infratructure, networking, storage, OS, security and even application owners.  The group establishes these guidelines to control sprawl.  The goal is to shorten the gap that separates these areas, and makes people understand the effects of decisions in one area influencing another.

Some people call these groups a "Center of Excellence" but I never liked that term, but it may be easy to sell that concept in an IT org if they're accustomed to that name.

Re: VM sprawl

Having reps from multiple teams involved in governance seems like the best way to get buy-in. And I'm sure calling it a "Center of Excellence" wouldn't hurt!

Re: VM sprawl

"Governance can come from a team that has representatives from virtualizaton infratructure, networking, storage, OS, security and even application owners.  The group establishes these guidelines to control sprawl.  The goal is to shorten the gap that separates these areas, and makes people understand the effects of decisions in one area influencing another."

Dan, group of people from development & application team along with system admin can do wonders. This will help to identify the security holes and tap it at the root level.

Hypervisors, so far, so good on security

"If you can manipulate the hypervisor,.." yes, and fortunately, that's hard to do. The hypervisor relies on a limited number of commands, in response to system calls, and it's possible to monitor those commands to make sure none have been tampered with. In many settings, I think the hypervisor is being watched by a firewall or other watchdog for any aberrent performance, which would be quickly noticed. Let's hope the security of the hypervisor remains a tough nut to crack.

Re: Hypervisors, so far, so good on security

I agree.  For all practical purposes, taking over hypervisors (in particular from within the guest OS - called VM escape) or jumping from one VM to another is not seen.   If you are in a hosted hypervisor (like running a hypervisor on top of a standard operating system), then you are only as secure as the host OS, so attacks from a compromised host OS is possible.  But most production systems rely on bare-metal hypervisors, and access to the hypervisor or managment consoles are usually strict.

There are academic papers written or some edge conditions where "jumping" may occur, but those are not seen in the real world in production environments which use bare-metal hypervisors.

Security Issues

"The 11 risks cited in the paper are the most common relative to compute virtualization, regardless of vendor or architecture, he said. They fall into three general buckets: architectural, hypervisor software, and configuration:"

Marcia, thanks for listing the major security risks on priority basis. As a system admin this will help me to look into such security issues on a day to day basis.

Re: Security Issues

Glad the list is helpful Mynet. Just to clarify, though, the list doesn't rank the vulnerabilities. Raina told me that the priority of a risk can vary, depending on what platforms an organization uses.

Re: Security Issues

50% of list resembles security risks/ concerns, one of the potential threat is rogue VM, what if someone ping up an offline VM to confirm what it is, and later find that it was a DHCP server which took down the production network.

Re: Security Issues

"Glad the list is helpful Mynet. Just to clarify, though, the list doesn't rank the vulnerabilities. Raina told me that the priority of a risk can vary, depending on what platforms an organization uses."

Marica, risk and priority can be changed based on the nature of business. I mean it can vary from platform to platform and domain to domain. For example risk and priority for banks & ecommerce site are different from a service level company.

Re: Security Issues

Gotcha Mynet. Good point about the influence of the type of business on risk severity.

Re: Security Issues

"Gotcha Mynet. Good point about the influence of the type of business on risk severity."

Marcia, Gotcha?

Re: Security Issues

Sorry for the slang; here's what I meant: I understand your point.

Re: Security Issues

"Sorry for the slang; here's what I meant: I understand your point."

Marcia, thanks for the clarification.

Hypervisor Risk / Venom

Looks like the hypervisor risk in the cited article was timely.

 

Check out the latest news on the Venom issue (hypervisor weakness that can lead to the compromise of all VMs).

 

 

Re: Hypervisor Risk / Venom

Security_guy, that's an excellent point! In case others aren't aware of the Venom vulnerability, here's an article on our sister site that explains it:

Venom Zero-Day May Affect Thousands of Cloud, Virtualization Products

Re: Hypervisor Risk / Venom

Thanks for the link Sue, I missed this yesterday. This vulnerability sounds bad. However, apparently it doesn't impact some platforms, such as AWS and VMware, according to this report