Michael Thompson is the Director of Systems Management Product Marketing at SolarWinds.
Virtualization has been around a long time, and its benefits—from flexibility and scalability to quality assurance and cost savings—are well documented. Nonetheless, it’s not uncommon for it to still be considered a “new” or “emerging” technology because of its fairly recent rise over the past five or so years in truly widespread popularity.
With any burgeoning technology, whether it be virtualization, mobility, cloud, etc., security can be a major stumbling block to greater adoption. And as is usually the case, the security concerns surrounding virtualization are not unfounded. For example, risks associated with dynamic workloads causing security holes that potentially put entire systems in jeopardy because of how resources are shared, certainly exist.
Case in point: In November of last year, an attacker sent customers of browser-based testing vendor BrowserStack an email about the company’s VM security, or lack thereof. The email, meant to appear as though it was sent from the company, stated, “We have no firewalls in place, and our password policies are atrocious … it is almost certain all of your data has been compromised.” While BrowserStack denies any truth to the claims made in the email, the incident has naturally spurred many to question whether adequate steps to ensure a secure virtual environment were being taken by the company.
This particular incident coupled with pre-existing fears have served to heighten concern over the security implications of virtualization and virtual environments.
Risks Associated with Virtualization
So, what are the primary security risks associated with virtualization?
First, virtualization adds additional layers of infrastructure complexity. This means monitoring for unusual events and anomalies also becomes more complex, which in turn makes it more difficult than it already is to identify security issues, such as advanced persistent threats.
Next, virtualized environments are dynamic by design, rapidly changing on a regular basis. Unlike physical environments, virtual machines can be spun up in a matter of minutes. It can be easy to lose track of what’s online, offline and what potential security holes are exposed, as a result. This is related to a phenomenon known as virtual sprawl, which refers to when the number of virtual machines in existence within an environment reaches a point where they can no longer be effectively managed, such as having all security patches properly applied. In such cases, the security of all virtual machines can no longer be guaranteed. Attackers have used offline virtual machines as a gateway to gain access to a company’s systems, as claimed in the BrowserStack breach.
Finally, in addition to the dynamic nature of a virtual machines themselves, workloads can be moved quickly. This also poses a security risk. For example, a certain workload may need a high level of security, and the initial virtual machine the workload is assigned to may provide that security. But when faced with the need to make room for more mission-critical workloads, without proper checks and balances in place, it could easily be moved to a new virtual machine with lower level security, thereby opening a potential hole.
Mitigating the Risks
The BrowserStack incident is just one of the many reasons why, despite the benefits of virtualization, there are lingering concerns about the security risks associated with virtualization. However, that’s not to say the risks are unmanageable.
The following are tactics that, if followed, can help mitigate potential threats to virtual environments without the need for burdensome, expensive processes and solutions that simply aren’t an option for many organizations.
- Separation: Establish how and where to separate development, test and production virtual machines.
- Process enforcement: Enable IT-specific processes via self-service portals to increase efficiency and simplify management.
- Sprawl management: Actively manage the virtual environment in terms of what is being used, what’s needed and what’s not.
- Complete stack management: Focus on end-to-end connections within the virtual environment.
- Built-in auditing: Leverage tools to automate security checks, balances and processes wherever possible.
- Patching: Implement a patch maintenance and management process and schedule to make sure patches are up-to-date for both online and offline virtual machines.
With a knowledge of the primary security risks associated with virtualization and a commitment to following best practices that will mitigate those risks, it’s possible for any organization to find a balance between taking advantage of the benefits of virtualization and maintaining the highest levels of security.
Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission processfor information on participating. View previously published Industry Perspectives in our Knowledge Library.