Pay heed to security when going virtual

Organisations that rush into server virtualisation are storing up trouble for themselves, security experts have warned. They say that many implementations have been done with little or no consideration for the added virtualisation security risks.

"Most people don't realise the security issues, and those that do understand are quite happy to accept the platitudes from the suppliers that virtualisation is secure," said Ian Kilpatrick, chairman of Wick Hill Group Ltd., a distributor focusing on the security market.

Kilpatrick said that running multiple virtual machines (VMs) within a single server is inherently harder to control and requires higher levels of security. But in his experience, companies are relying on the same weak controls they used before the introduction of virtualisation.

"Communicating from one physical server to another can be easily controlled, but in a virtual environment, it is more complex. If I get in as a guest on a virtual machine, then it is much easier to get to others. If I can breach one VM, then I can breach many," he said.

Stronger authentication of users will limit that risk, but as Kilpatrick said, "90% of the world is not using any form of two-factor authentication. Anyone working in a virtual environment without two-factor authentication is a lunatic. If I can get on to the hypervisor and get administrator rights to the whole thing, I have the keys to the farm."

He added that security fears have been ignored because virtualisation is so attractive in most other respects. In a time of economic belt-tightening, the technology allows companies to make better use of resources, reduce the number of actual servers they run, cut infrastructure costs and also reduce their energy bills.

"Virtualisation ticks all the boxes, and it's got a lot of big players involved in it," he said. "It's something that even the CFO can understand. It can get buy-in right up the organisation because it is a fairly straightforward message."

This is not just ignoring the elephant in the room. Most companies don't even know the elephant is there. Ian Kilpatrick chairman, Wick Hill Group.

Dominic Storey, technical director at Sourcefire Inc., a network security company, said that the very ease of use of virtualisation makes it dangerous. "The simplicity is part of the problem from a security point of view. Anyone can bring a new machine on the network. You can fire up VMware and then copy a Windows VM or download system images and then bootstrap them and get them going."

The process bypasses a lot of the controls that companies have in place for deploying new application servers. "Typically, this means the security team has been taken out of the loop completely," Storey said. "The well honed practices that companies have put into place -- such as configuration management, patch management, hardening of systems -- have gone out of the window."

Loading multiple VMs on to the same server is also fraught with danger, according to Ash Patel, country manager for network security company Stonesoft Corp. "When those machines were running as independent servers, you probably had some kind of IDS or IPS system operating across a switched environment, or maybe some internal firewalls to control traffic from one network segment to another, plus gateway technology as well," he said.

"The security you would apply in a regular LAN should still apply in the virtualised environment. If you have internal firewalling between applications, and between network segments, and you start virtualising applications and network segments -- even collapsing data centres as some of the hosting companies are doing -- you need to take all of the security with you into the new VM environment."

But Patel mentioned that server teams are consolidating servers without putting the necessary controls in place. "It's like shoving everything into the fridge. You have no idea what's going on in there. You close the door, and you have no idea if the butter's talking to the milk," he said.

The threat is further increased, he added, when Web servers, middleware servers and database servers are consolidated in with other VMs, as they raise the risk of infection from outside of the organisation. Furthermore, as organisations move to a virtual desktop architecture, there is the added danger of virus infections spreading between desktops and to servers.

"The security guys don't get a look-in," Patel said. "It's a terrible mistake. With any virtualised environment, the security team needs to be involved."

Awareness of the need for security is growing, albeit slowly. John Reeman, technical director of Nebulas Solutions Group, a London-based consultancy, said that VMware Inc., one of the leading suppliers of virtualisation technology, has tried to promote security over the last two or three years.

The VMsafe programme, an application program interface (API)-sharing initiative that enables select partners to develop security products for VMware environments, launched last year but it has not gathered much momentum, said Reeman. "Out of 25 partners who've signed up only about four are active."

He also pointed out that some good security guidelines exist to help companies build secure virtual environments -- such as the DISA VMware ESX STIG (Security Technical Implementation Guide) published by the U.S. Defense Information Systems Agency -- but as he added, "people don't necessarily read or understand them."

Wick Hill's Kilpatrick predicts that it will take a major disaster before the full dangers of virtualisation are properly appreciated. "In an ideal world, if you plan to do something that will change your risk profile, you do a risk analysis first. But what actually happens is that people jump in and think about the risks later," he said. "There are compelling reasons why people want to go for virtualisation, and unless someone flags up the dangers to the board, the board is not going to decline the money."

And although several security vendors are now offering technology that will operate in a VM world, Kilpatrick says demand for it is still weak. "We still get comparatively few people coming to us for virtual machine firewalling, and that is just craziness," he said. "This is not just ignoring the elephant in the room. Most companies don't even know the elephant is there. It's dreadfully scary how many people have moved into a virtual world and have not changed their security profiles to match it."