"The race to virtualization ... has outpaced security in terms of it keeping up with virtualized environments," says Al Huger, VP of development for Sourcefire's Cloud Technology Group. "It's so easy to spin up and maintain horizontally deployed virtual machine environments, but you often see them deployed without security. In many cases, the security products you have for your physical systems don't work in virtual systems. You lose a substantial amount of visibility. For instance, your antivirus very well might not work in a virtualized environment, or it might just be too heavy to put in a virtualized environment."
That a machine is virtualized doesn't make it more or less secure, but it does introduce additional processes that the business may need to solidify in order to make sure a breach doesn't happen.
"We did work for a client last year and their entire environment was virtual. They paid us to break into it to see what we could take and we were able to access the file server with all the virtual machines, so we just copied them to a hard drive," says Davis. "So we stole their server and took it out of their environment, went back to our office, started it, and we were able to hack at it until we got into it."
Davis had praise for Sourcefire, but stopped short of declaring the releases an answer to virtualization security issues. "Sourcefire is a pretty good company, and they make good decisions, but I think the key takeaway here is, 'What problems are those new products trying to solve?'" he says. "For example, if you look at the FireAMP product, it's great malware protection; it solves a malware problem. It's not really a virtualization security type of play. I think they're making it easier for their customers to deploy it."
Of course, as with physical assets, security in a virtualized setting should be about more than just stopping attacks. There's also a need to continually drive visibility, access control and management.
"Traditional software that's been deployed on bare metal-systems or on routers is blind to virtual environments ... so it's like you've got a steel door on a grass hut. You've got all this protection everywhere else, but your virtualized environments haven't caught up," Sourcefire's Huger says. "It's so easy to spin up and maintain horizontally deployed VM environments, but you often see them deployed without security."
Davis adds that if a company doesn't have good access control practices in place in the physical world, it's highly unlikely that it will in a virtualized one.
"In most IT shops in the virtualization space, every IT person has the capability to start and stop servers, create new virtual machines, etc.," he says. "The risk in my mind is one of access control rather than what the industry thinks the risks are with virtualization."
Any security control that depends on detecting information from the network is ineffective in the virtual switch unless the control itself resides or can see the data traffic in the virtual network, explained Eric Ahlm, research director at Gartner, in a statement.
"The challenge is that not all network security controls have visibility into the virtual network that resides in the hypervisor," he said. "This can create blind spots in security controls that are monitoring only the physical network. Attacks that happen on the virtual switch will go undetected until they happen on a physical network with security controls."
Lewis added that there is monitoring available at every step of the way. The issue is that virtual environments are often implemented quickly and expediently that security suffers as a result.
"Security is not always given proper consideration. Security should always be addressed at each layer," he said. "Where there might be shortcomings in network security they can/may be compensating controls in the virtual environment. Attacks in a virtual environment are to be expected, and people should comport themselves accordingly."
