Rush to deploy virtualisation leaves security gaps

Server virtualisation is a no-brainer -- it's quick to deploy and easy to justify in terms of cost-savings, but too many companies are deploying the technology without considering the security implications.

Server virtualisation has been the hottest trend in enterprise IT for some time and according to IBRS analyst Kevin McIsaac, it's likely to remain that way for the next two to three years.

IBRS estimates that one in three large Australian organisations has deployed server virtualisation within their datacentre, and nearly every medium to large enterprise has at least looked at a pilot for the technology.

You won't find a hypervisor surfing the Internet and downloading code.

Kevin McIsaac, IBRS

But as the push to consolidate physical servers intensifies, questions are being raised as to whether new virtual servers are being deployed with adequate security measures in place.

Hypervisor hackers
Virtualisation software uses programs called hypervisors, which allow multiple operating systems to run on the same hardware.

Hypervisors have to date been considered fairly secure programs, in that they tend to carry a smaller footprint than an operating system and thus carry a lower potential for security holes.

"I don't know if anyone has ever seen a working prototype or found a virus in the wild that attacks the hypervisor," McIsaac said. "There is a lot less code in a hypervisor, only a fraction of what's in an operating system, and unlike an operating system, you won't find a hypervisor surfing the Internet and downloading code."

That said, the hypervisor is an obvious target for hackers. If compromised, it could potentially provide access to a range of services within a virtualised machine, rather than to a single service in a standalone box.

Security analysts and white hat hackers have done their best to crack the hypervisors of the leading brands, to little success. Malware researcher Joanne Rutkowska talked up an attack method called "Blue Pill" at a recent security conference in August, but this has since been debunked by several industry figures as detectable and addressable.

If you have someone in your data centre, you've got plenty of other problems to worry about.

Andrew Kemp, VMWare

Most of the reported hacks of virtualisation software, reports VMWare systems engineer Andrew Kemp, are clutching at straws. One exploit, he said, which has since been patched, required the attacker to physically be inside the server room, logged on at a specific time and using a specific version of VMWare's ESXs software.

"If you have someone in your data centre, you've got plenty of other problems to worry about," he said.

Nonetheless, there is no shortage of hackers having a crack at the technology.

Gartner security analyst Andrew Walls says it's a sure bet that there are people in the hacker community "trying to develop exploits that target the hypervisor."

A process problem
It's for this reason that Gartner vice president Neil MacDonald released a controversial statement in April warning organisations not to rush into deploying server virtualisation without studying its potential for security risks.

MacDonald argued that hypervisors represented a "new layer of privileged software" that needs protection, and said that virtualisation vendors and their third party tool developer partners were releasing "immature and incomplete security and management tools."

This sentiment didn't go down to well in the virtualisation vendor community, who decried the statement as being alarmist.

Nonetheless, Gartner's Walls claims he was trying to make a very important point about virtualisation and server consolidation projects.

Virtual servers, Walls explains, are quick, easy and cheap to deploy, and as such can be deployed with the kind of abandon that has little regard for security.

It's a risk that is coming to be known as "virtual machine sprawl".

Without the right user rights and privileges controls in place, virtualisation tools allow knowledge workers to deploy a new server instance or virtual machine without the consent or control of IT security staff.

"The main risk Gartner sees is to do with the segmentation of duty," Walls said. "It's about organisational structure, not technology."

You can rapidly increase the number of targets for attack.

Andrew Walls, Gartner

In the non-virtualised world, Walls explains, it's always been fairly clear as to what the protocol for IT security is.

In larger organisations, security concerns have often warranted dedicated staff. So while the IT admin team is responsible for the day-to-day running of new servers, the security team try to monitor and maintain control.

"You need to be careful that the use of virtual servers doesn't erode any responsibility," Walls said. "The big advantage to virtualisation is the speed of deployment. You can deploy ten new servers in an hour. But when you have a much faster deployment model, you can rapidly increase the number of targets for attack."

If the rush to deploy new security is left to IT admin, Walls said, there is a potential for the quality of security processes to be compromised.

"IT seeks to optimise performance, to deploy new instances, at reduced cost," he said. "They are strongly motivated to meet the needs of the business, which is always pushing to offer new services and thus new server instances. Security sometimes gets left out."

"Each time a new server is implemented or a new server instance is deployed, you need to ensure that the same governance controls and change controls are applied to this virtual environment as a new server," he said.

Generally, the more functionality it has, the more prone it will be to exploits.

Andrew Walls, Gartner

Choose carefully
Walls said there is no single virtualisation vendor he would favour over another in terms of security.

That said, its safe to say that the less code a hypervisor contains, and the less access available to that code, the more secure the solution.

"There are a lot of skinny hypervisors, and a lot of fat ones," Walls said. "Generally the more functionality it has, the more prone it will be to exploits."

The VMWare hypervisor's footprint is among the thinnest, with the solutions available from Microsoft and the open source movement being a little fatter, he said.

VMWare's Kemp argues that the security vulnerability of one solution can come down to how the vendor manages drivers within the hypervisor.

VMWare, he said, has a "direct hardware model", which sees the vendor write its own binary access to the specific hardware devices the software is compatible with. That, in affect, is why VMWare's hypervisor will only work with a select amount of hardware.

Some of the vendor's competitors, he said, have implemented a "master domain model" in which hardware drivers are written by third parties and stored in a container mechanism.

"We investigated that model thoroughly as far back as 1988 -- but the security implications drew us away," Kemp said. "The risk of exposure is increased when more people are writing the code."

I am perfectly confident that somebody will write an exploit for the hypervisor.

Andrew Walls, Gartner

Security benefits?
For any potential risks that virtualisation poses, it can equally be argued that a correctly implemented solution can actually harden an organisation's security.

In the network, virtual servers can be deployed as firewalls or monitoring tools -- additional defences against attack.

Using virtualisation, sensitive applications can also be consolidated together on hardware that is better protected than the rest of the server farm.

On the desktop, users can use virtualisation to conduct their routine Web surfing on a separate partition to the one they use for making sensitive financial transactions, protecting themselves from malware, fraud and identity theft.

That said, one needs to remember that like any software, one can never assume that virtualisation tools are beyond attack.

"I am perfectly confident that somebody will write an exploit for the hypervisor," Walls says. If it's any guide, he said "we still haven't built the perfect operating system yet!"