Snapshot: Virtualization

Virtualization Security: The Good and the Bad

The promise of virtualization to improve the use of IT resources is now well established. Unfortunately, understanding the attending security issues has not kept pace. In the age of advanced cyber threats, sophisticated malware and regular high-profile breaches of both private and public organizations’ security, virtualized environments could prove particularly vulnerable.

A recent survey by Kaspersky Labs found it costs organizations more than twice as much to recover from a cyber-attack on a virtualized infrastructure than an attack on a physical environment —regardless of the size of the enterprise. That’s because a majority of them use virtual infrastructure for their most important operations.

An inaccurate perception of the threat landscape is another element that increases cost, according to the Kaspersky survey. Some 42 percent of the survey respondents believe security risks in virtual environments are significantly lower than in physical environments.

While slightly less than half of them said they understood the problem of security management in virtual infrastructures, only 27 percent said they had deployed a security solution specifically for those virtual environments.

Organizations do expect that going virtual will decrease their IT spend and streamline their infrastructure, says Matey Voytov, Kaspersky’s corporate products group manager. “If there is not enough attention paid to security matters in the virtual environment,” he says, “expenses may exceed the benefit.”

Several years ago, the National Institute of Standards and Technology (NIST) tried to bring attention to virtualization security needs with SP 800-125, a comprehensive “Guide to Security for Full Virtualization Technologies.”

The guide noted that virtualization has some negative security implications. “Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls,” the guide states. “Also, combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs.”

Virtual systems also make it easy to share information between systems. That’s a convenience in regular IT operations, but can also be a way into a system for cyber threats. In some cases, according to NIST, virtualized environments are quite dynamic. That can also make creating and maintaining the necessary security boundaries more complex.

NIST followed up on that report in 2014 with draft guidance on how to secure hypervisors, the software that lets you build virtual machines on physical host systems. Specific hypervisor threats include such things as configuration errors that lead to rogue VMs gaining access to host resources, snooping on virtual network traffic, or threats that lead to denial of service attacks.

Virtualization itself is still seen as an enabler of better security, however. That’s the case for network virtualization, for example, which some feel can ease security concerns because it allows for easier distribution of such things as virtual firewalls. Organizations can also more quickly mitigate malware infections by tearing down an infected virtual network and replacing it with another clean network.

It’s an argument that Maj. Gen. Sarah Zabel, the new vice director of the Defense Information Systems Agency, gave to a recent industry meeting for adopting network virtualization. It will help the DISA banish persistent threats from its networks, she says.

That same advantage has been claimed for non-persistent VMs. The trouble is malware developers have created malware that can survive the teardown of individual VMs by spreading across the entire virtual network, which lets them return and infect replacement VMs.

Organizations should be careful in getting too caught up in the potential of virtualization to improve their overall use of IT, Kaspersky warned, even though that potential is indeed real.

“(Their) understanding of this technology, especially virtual-specific security issues, is far from perfect,” says the Kaspersky report. “Virtual environments are trusted more than physical servers, and nothing can be trusted in a grim security environment.”