The real issue around server virtualization security

There is a general paranoia about server virtualization in the security community that goes something like this. The server virtualization hypervisor acts as a resource switch enabling multiple virtual hosts to share a single physical system. In theory, if you compromise the hypervisor, you gain access to every virtual host along for the ride. Imagine an instance where 50 hosts live on a single Intel server and you can see that a hypervisor attack could have extremely serious ramifications.

Yes, this is theoretically possible, but virtualization vendors understand this threat and are pretty conscientious about protection. Starting with IBM and virtual machines on the mainframe, there hasn't been a single compromise at the virtualization operations layer that I know of. Of course software is always vulnerable, but a hypervisor attack seems like something out of a Michael Crichton novel rather than an everyday concern.

So what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry--lack of control. In a virtual server world, IT administrators can clone virtual hosts, move them around, or turn them on and off by accident or with malicious intent. What happens when an IT administrator moves a critical database server instance without re-configuring application servers or the network? How about when someone mistakenly adds a test server to the production network? The security "uh-oh" possibilities are endless.

The real threat here is that server virtualization takes on a life of its own without proper management and security controls. This is why VMware is investing in its virtual infrastructure, Citrix is keen on its Citrix Delivery Center, and Microsoft is pushing its System Center Virtual Machine Manager (SCVMM) architecture. Systems and operations management vendors like BMC Software, CA, Hewlett-Packard, and IBM are also paying close attention and adding virtualization capabilities to tools, processes, and services. Given its 30-plus years with mainframe virtualization, IBM for one has seen this movie before.

In the security world, there are theoretical threats and there are everyday threats. The server virtualization crowd is constantly dragged through the mud about theoretical threats but it's the everyday threats that tend to bite us all in the butt. If users focus on sound server virtualization policies, controls, operations, and safeguards, rather than the virtual security bogey man, they should be able to reap the benefits of server virtualization without a substantial increase in risk.

Jon Oltsik is a senior analyst at the Enterprise Strategy Group.

[krosavcheg]

The same set of problems exists in the physical world too... You could make images of a physical machine and clone it ... Also, it's easy to mess up the network connection in the physical world rather than virtual world because of messy wires/switches/sockets.

[Frank-at-MO]

I agree with Krosavcheg and from an IT management perpsective, vice a security perspective, the largest concern is understanding the dependencies and relationships among components. For example, some shops struggle to understand what physical servers support what applications -- when you add virtualization into the mix -- the ability to create or change servers at the click of a button creates a change management challenge.

Our CTO wrote about this here: http://www.gridtoday.com/grid/2199895.html
Our CEO discusses dependencies here: http://www.wearebsm.com/managed_objects/2008/05/chaos-butterflies-and-it-chang.html

[benjaminstraight]

The article is over my head. I will rely on the other comments.