Through 2012, 60 per cent of virtualised servers will be less secure than the physical servers they replace, according to Gartner, Inc. Although Gartner expects this figure to fall to 30 per cent by the end of 2015, analysts warned that many virtualisation deployment projects are being undertaken without involving the information security team in the initial architecture and planning stages.
"Virtualisation is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualised workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
Gartner research indicates that at the end of 2009, only 18 per cent of enterprise data centre workloads that could be virtualised had been virtualised; the number is expected to grow to more than 50 per cent by the close of 2012. As more workloads are virtualised, as workloads of different trust levels are combined and as virtualised workloads become more mobile, the security issues associated with virtualisation become more critical to address.
Gartner has identified the six most common virtualisation security risks together with advice on how each issue might be addressed:
Risk: Information Security Isn't Initially Involved in the Virtualisation Projects
Survey data from Gartner conferences in late 2009 indicates that about 40 per cent of virtualisation deployment projects were undertaken without involving the information security team in the initial architecture and planning stages. Typically, the operations teams will argue that nothing has really changed - they already have skills and processes to secure workloads, operating systems (OSs) and the hardware underneath. While true, this argument ignores the new layer of software in the form of a hypervisor and virtual machine monitor (VMM) that is introduced when workloads are virtualised.
Gartner said that security professionals need to realise that risk that isn't acknowledged and communicated cannot be managed. They should start by looking at extending their security processes, rather than buying more security, to address security in virtualised data centres.
Risk: A Compromise of the Virtualisation Layer Could Result in the Compromise of All Hosted Workloads
The virtualisation layer represents another important IT platform in the infrastructure, and like any software written by human beings, this layer will inevitably contain embedded and yettobediscovered vulnerabilities that may be exploitable. Given the privileged level that the hypervisor/VMM holds in the stack, hackers have already begun targeting this layer to potentially compromise all the workloads hosted above it. From an IT security and management perspective, this layer must be patched, and configuration guidelines must be established.
Gartner recommends that organisations treat this layer as the most critical x86 platform in the enterprise data centre and keep it as thin as possible, while hardening the configuration to unauthorised changes. Virtualisation vendors should be required to support measurement of the hypervisor/VMM layer on bootup to ensure it has not been compromised. Above all, organisations should not rely on hostbased security controls to detect a compromise or protect anything running below it.
Risk: The Lack of Visibility and Controls on Internal Virtual Networks Created for VMto-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
For efficiency in communications between virtual machines (VMs), most virtualisation platforms include the ability to create softwarebased virtual networks and switches inside of the physical host to enable VMs to communicate directly. This traffic will not be visible to networkbased security protection devices, such as networkbased intrusion prevention systems.
Gartner recommends that at a minimum, organisations require the same type of monitoring they place on physical networks, so that they don't lose visibility and control when workloads and networks are virtualised. To reduce the chance of misconfiguration and mismanagement, they should favour security vendors that span physical and virtual environments with a consistent policy management and enforcement framework.
Risk: Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation
As organisations move beyond the "lowhanging fruit" of workloads to be virtualised, more critical systems and sensitive workloads are being targeted for virtualisation. This is not necessarily an issue, but it can become an issue when these workloads are combined with other workloads from different trust zones on the same physical server without adequate separation.
At a minimum, organisations should require the same type of separation required in physical networks today for workloads of different trust levels within the enterprise data centre. They should treat hosted virtual desktop workloads as untrusted, and strongly isolate them from the rest of the physical data centre. Organisations are advised to evaluate the need for point solutions that are able to associate security policy to virtual machines' identities and that prevent the mixing of workloads from different trust levels on the same server.
Risk: Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
Because of the critical support the hypervisor/VMM layer provides, administrative access to this layer must be tightly controlled, but this is complicated by the fact that most virtualisation platforms provide multiple paths of administration for this layer.
Gartner recommends restricting access to the virtualisation layer as with any sensitive OS and favouring virtualisation platforms that support rolebased access control of administrative responsibilities to further refine who can do what within the virtual environment. Where regulatory and/or compliance requirements dictate, organisations should evaluate the need for thirdparty tools to provide tight administrative control.
Risk: There Is a Potential Loss of Separation of Duties for Network and Security Controls
When physical servers are collapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels. Another area of concern is which group configures and supports the internal virtual switch.
Gartner recommends that the same team responsible for the configuration of network topology (including virtual LANs) in the physical environment should be responsible for this in virtual environments. They should favour virtualisation platform architectures that support replaceable switch code, so that the same console and policies span physical and virtual configurations.
Additional information is available in the report "Addressing the Most Common Security Risks in Data Center Virtualization Projects" which is available on the Gartner web site at http://www.gartner.com/....
About Gartner's Security Summits 2010
Gartner's Security Summits are the premier conferences and meeting places for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive IT strategy for information security, risk management, compliance and business continuity management. Analysts will provide insight and a vision of how things will evolve over the long term and provide road maps on how enterprises and solution providers will proceed at the Gartner Security & Risk Management Summit 2010, 21-23 June in Washington D.C. and at the Gartner Information Security Summit 2010, 22-23September in London.
"Virtualisation is not inherently insecure," said Neil MacDonald, vice president and Gartner fellow. "However, most virtualised workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants."
Gartner research indicates that at the end of 2009, only 18 per cent of enterprise data centre workloads that could be virtualised had been virtualised; the number is expected to grow to more than 50 per cent by the close of 2012. As more workloads are virtualised, as workloads of different trust levels are combined and as virtualised workloads become more mobile, the security issues associated with virtualisation become more critical to address.
Gartner has identified the six most common virtualisation security risks together with advice on how each issue might be addressed:
Risk: Information Security Isn't Initially Involved in the Virtualisation Projects
Survey data from Gartner conferences in late 2009 indicates that about 40 per cent of virtualisation deployment projects were undertaken without involving the information security team in the initial architecture and planning stages. Typically, the operations teams will argue that nothing has really changed - they already have skills and processes to secure workloads, operating systems (OSs) and the hardware underneath. While true, this argument ignores the new layer of software in the form of a hypervisor and virtual machine monitor (VMM) that is introduced when workloads are virtualised.
Gartner said that security professionals need to realise that risk that isn't acknowledged and communicated cannot be managed. They should start by looking at extending their security processes, rather than buying more security, to address security in virtualised data centres.
Risk: A Compromise of the Virtualisation Layer Could Result in the Compromise of All Hosted Workloads
The virtualisation layer represents another important IT platform in the infrastructure, and like any software written by human beings, this layer will inevitably contain embedded and yettobediscovered vulnerabilities that may be exploitable. Given the privileged level that the hypervisor/VMM holds in the stack, hackers have already begun targeting this layer to potentially compromise all the workloads hosted above it. From an IT security and management perspective, this layer must be patched, and configuration guidelines must be established.
Gartner recommends that organisations treat this layer as the most critical x86 platform in the enterprise data centre and keep it as thin as possible, while hardening the configuration to unauthorised changes. Virtualisation vendors should be required to support measurement of the hypervisor/VMM layer on bootup to ensure it has not been compromised. Above all, organisations should not rely on hostbased security controls to detect a compromise or protect anything running below it.
Risk: The Lack of Visibility and Controls on Internal Virtual Networks Created for VMto-VM Communications Blinds Existing Security Policy Enforcement Mechanisms
For efficiency in communications between virtual machines (VMs), most virtualisation platforms include the ability to create softwarebased virtual networks and switches inside of the physical host to enable VMs to communicate directly. This traffic will not be visible to networkbased security protection devices, such as networkbased intrusion prevention systems.
Gartner recommends that at a minimum, organisations require the same type of monitoring they place on physical networks, so that they don't lose visibility and control when workloads and networks are virtualised. To reduce the chance of misconfiguration and mismanagement, they should favour security vendors that span physical and virtual environments with a consistent policy management and enforcement framework.
Risk: Workloads of Different Trust Levels Are Consolidated Onto a Single Physical Server Without Sufficient Separation
As organisations move beyond the "lowhanging fruit" of workloads to be virtualised, more critical systems and sensitive workloads are being targeted for virtualisation. This is not necessarily an issue, but it can become an issue when these workloads are combined with other workloads from different trust zones on the same physical server without adequate separation.
At a minimum, organisations should require the same type of separation required in physical networks today for workloads of different trust levels within the enterprise data centre. They should treat hosted virtual desktop workloads as untrusted, and strongly isolate them from the rest of the physical data centre. Organisations are advised to evaluate the need for point solutions that are able to associate security policy to virtual machines' identities and that prevent the mixing of workloads from different trust levels on the same server.
Risk: Adequate Controls on Administrative Access to the Hypervisor/VMM Layer and to Administrative Tools Are Lacking
Because of the critical support the hypervisor/VMM layer provides, administrative access to this layer must be tightly controlled, but this is complicated by the fact that most virtualisation platforms provide multiple paths of administration for this layer.
Gartner recommends restricting access to the virtualisation layer as with any sensitive OS and favouring virtualisation platforms that support rolebased access control of administrative responsibilities to further refine who can do what within the virtual environment. Where regulatory and/or compliance requirements dictate, organisations should evaluate the need for thirdparty tools to provide tight administrative control.
Risk: There Is a Potential Loss of Separation of Duties for Network and Security Controls
When physical servers are collapsed into a single machine, it increases the risk that both system administrators and users will inadvertently gain access to data that exceeds their normal privilege levels. Another area of concern is which group configures and supports the internal virtual switch.
Gartner recommends that the same team responsible for the configuration of network topology (including virtual LANs) in the physical environment should be responsible for this in virtual environments. They should favour virtualisation platform architectures that support replaceable switch code, so that the same console and policies span physical and virtual configurations.
Additional information is available in the report "Addressing the Most Common Security Risks in Data Center Virtualization Projects" which is available on the Gartner web site at http://www.gartner.com/....
About Gartner's Security Summits 2010
Gartner's Security Summits are the premier conferences and meeting places for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive IT strategy for information security, risk management, compliance and business continuity management. Analysts will provide insight and a vision of how things will evolve over the long term and provide road maps on how enterprises and solution providers will proceed at the Gartner Security & Risk Management Summit 2010, 21-23 June in Washington D.C. and at the Gartner Information Security Summit 2010, 22-23September in London.
