Are virtual machines more or less secure than their physical counterparts? The answer, of course, is YES. Several Nerds have asked for my perspective on recent research from Gartner indicating that 60% of virtual servers are less secure than the physical servers they replace. This research has gotten a lot of press and raised some serious concerns, as it should.
The most important point to be taken from this research is that the decrease in security is NOT due to the fact that these servers are being run as virtual machines. Rather, the problems arise from the failure of administrators to recognize the additional risks which virtual environments present. The same tools that make it easy to quickly create, modify, and reproduce virtual servers can provide new opportunities for attackers. Most of the rules for securely managing physical servers still apply, but virtual environments present a new set of risks to be managed. If you are planning a virtualization project for a client, these risks MUST be taken into account. The GOOD NEWS is that we have virtualization and security experts that can help. Leverage the POWER OF THE TEAM!!
First, access to virtual machine images MUST be strictly controlled. It is certainly possible for someone to remove a physical server from the rack and walk out the door with it, but this risk is easily managed. A virtual machine can be placed on a “thumb drive” or copied across the network – a risk that is not so easily managed. Good administrators carefully protect server backup images and data backup files by controlling access to them and / or encrypting them. Virtual machine disk files are not always treated with the same care. Multiple testing and development versions may exist and when they are discarded, the deletion process may not be secure.
Because it is so easy to spin up a new or saved VM with a few mouse clicks, extra caution is required to ensure that it is the RIGHT VM, and the RIGHT VERSION. Have all the right access controls been applied? Are all the patches current? Has it been hardened? Is in on the right network or VLAN? With physical servers, there is only one version of that server. With virtual machines, there could be many, each with different levels of access control, patching, and hardening.
Virtual machines run on top of a host operating system or a hypervisor, which is simply a specialized and very “thin” host operating system. The host operating system or hypervisor has access to all the guest virtual machines, so it has to be protected and managed even more carefully than the guest operating system. This includes patching, updating, and tight access control.
Virtual networking creates management challenges similar to those of virtual machines. The network connections between virtual machines running in the same physical server have to be controlled, on the basis of security policy, the same as connections on a physical network. Communications between guest servers on the same host are largely invisible to network monitoring and access control devices.
Virtual severs require the same maintenance as physical servers – they have to be audited, patched, and secured in the same ways and on the same cycles. The real security issue with virtual machines is that they are TOO easy to manage. They can be cloned or moved to a different network with a few mouse clicks. However, a configuration that was secure in one environment may be very insecure in another. Snapshots can revert a virtual machine to a previous state with incredible ease, but this can undo security patches or access controls with the same ease. Spiderman creator Stan Lee said it well – “With great power there must also come–great responsibility.“
This discussion would not be complete without mention of some of the security BENEFITS that virtual machines provide. “One service per server” is the mantra of security professionals and network administrators alike. It makes for better security and easier management. In the world of physical servers, this principle is rarely followed, especially in smaller networks. The reasons are obvious – running a separate server for each network service is too expensive and consumes too much space and power. Virtual servers make adherence to this policy much more possible. Backup and disaster recovery are also huge security concerns, both of which are made much easier with virtual machines. If a security breach does occur, recovery is much easier, assuming proper backups have been maintained.
The benefits of virtualization are undeniable and there is no question that the trend toward virtualization will continue to grow and will become the standard for deploying and managing servers. At least within the corporate environment, desktop virtualization will not be far behind, for many of the same reasons. Virtual servers and desktops CAN be MORE secure than their physical counterparts, but virtual security, like physical security, has to be built on the three P’s – Policies, Processes, and Procedures. These three P’s must be documented, tested, audited, and enforced. This is not rocket science. In fact, it’s Security 101 – inventory the assets, identify the threats, mitigate the vulnerabilities, and manage the risks.
Dennis H in West Virginia, US
March 29, 2010
(Need help planning or securing a virtualization project? Contact me and I will connect you with the right folks)