You’ve Adopted Virtualization. Now It’s Time To Update Your Security PolicyDecember 10, 2013 No Comments
By Shawn Wilson, Vice President of Sales for Next IT
From small businesses to large enterprises, virtualization technology is being used more and more in the workplace. In fact, Spiceworks reported that 72 percent of small businesses use some form of server virtualization. As private cloud and virtual desktop infrastructure technology continue to push growth, the promise of ROI rules the dialogue, resulting in the auditing of security policies getting overlooked.
Executives consistently cite security as one of their top concerns when it comes to virtualization – typically blaming the technology itself. However, the biggest challenge to the virtual world is nothing related to the technology, but rather it’s the business’ out-of-date security policy.
Too often, IT departments adopt virtualization and continue business accordingly without revisiting their existing policy, putting the business at risk to missing out on potential efficiencies and leaving themselves open to attack. Consider that virtualization adds another layer of complex technology to a network by introducing new components such as hypervisor software, host operating system (if applicable), guest operating system and virtual infrastructure. A core benefit of server consolidation is combining many systems into just a few physical devices; however, this also creates a huge risk for organizations as now a breach is likely to impact more than just the compromised server.
IT managers and project managers should include a security policy audit as part of every virtualization project. The idea of ‘hardening’ the virtualization installation should consider all components present including hypervisor software, host OS and guest OS, while installed apps should be kept secured as they would be whether installed on a physical or virtual platform.
Hypervisor Security Concerns
Hypervisor software provides a common platform that provides access to and control over all guest operating systems, and so can be considered a single point of failure. If the hypervisor is compromised, without appropriate security in place, the attacker could potentially have access to every virtual machine. Most hypervisors have username and password access to management software granting full rights, while some offer different levels of access (view only) or even token based.
Security recommendations for the Hypervisor:
- Establish policies specifying who can access which features of the hypervisor. Restrict full management access to the hypervisor console(s).
- All updates released by the hypervisor vendor should be installed. Most software packages will check for updates automatically, or it can be incorporated into a patch management solution.
- Establish hypervisor monitoring, either with services built into the software or monitoring the logs on a consistent basis.
- Disconnect any unused hardware from the host(s). Removable or portable disk drives and unused NICs should be disabled or removed.
- Synchronize all components to a known-good time source to ensure all elements have the same time stamp. Most platforms will sync guest OSs with the host OS, but ensure that the hosts are synced with another device.
- Disable file sharing or clip boarding between the host OS and the guest OS (unless they are specifically needed).
- Look for folders being shared between guest OSs and the host OS which can be a security leak.
Security Concerns With Images (BDR)
Images and snapshots in a virtual environment offer many more options for disaster recovery, but along with that flexibility and ease of use, come direct and indirect security concerns. Because of this very benefit of being easy to copy and move all data, security information (passwords) and the operating system in one file or folder, it requires careful protection against unauthorized use, or editing. Backing up images for disaster recovery purposes is sound strategy, but keeping these ‘dark’ images updated with security patches is essential, as the benefit of restoring a saved image in the case of data loss will soon be lost if that image opens the network to vulnerabilities due to it being out of date and unpatched.
An indirect security concern is ‘image sprawl’, something that’s often seen in newly virtualized environments. The benefit and ease of creating images can lead to an overabundance of images, and image management becomes a necessity.
Security recommendations for images and snapshots:
- Establish policies of who has access to creating images and snapshots
- Determine a location for a ‘known good’ image to be stored
- Create ‘dark’ copies of your servers that get updated and patched (if software platform allows), and imaged
- Establish protocol for checking security settings on images when deployed, and patch immediately as necessary
- Establish policies for checking images from time to time. Either scan images for malware or calculate checksums for each file as stored then recalculate for comparison to establish if the image has been changed
Security Concerns For Guest Operating Systems
Because a guest operating system running on a hypervisor acts (almost) identical to the operating system running on its own hardware, all typical security considerations apply; however, the fact that they can share information with the host adds another level of complexity. The ability to share files or folders with the host creates similar vulnerabilities to a physical network that uses shared network storage. If policies are in place specific to shared network storage, they should be applied to shared files or folders in the virtualization platform.
Security Recommendations For Guest Operating Systems
- Some virtualization platforms allow guest operating systems to share information via clipboard sharing. Consider if this is necessary, and if not, disable
- Install all vendor-supplied updates to the guest operating system, promptly
- Include virtual drives used by the guest operating systems in the backup policy
- Disconnect unused virtual hardware for each guest operating systems including virtual CD drives, network adapters and serial or parallel ports
- Unless prohibitive, use separate authentication for each guest operating systems
- Virtual devices for guest Operating systems should only be associated with required physical devices on the host (NIC mappings)
Virtualization technology is a milestone in the technology timeline, and we’re seeing it adapted in all markets in new and exciting ways – something that’s only going to continue as the technology gets more advanced and complex.
And as security is a major concern when moving to the virtual world; however, executives often fail to recognize it’s not the technology itself they should be concerned about, but rather it’s their out-of-date IT security policy. Too often, IT managers focus on the added benefits virtualization provides and race to calculate the ROI of the investment. However, after any major technology upgrade, especially after one like moving to virtualization, IT departments must revisit their IT security policy to re-align the business’ current security needs with its newly upgraded technologies.
About The Author
Shawn Willson has been leading successful sales teams for over 15 years with a focus on the consultative selling approach. Currently, as Vice President of Sales for NeXt IT, he is responsible for driving millions in revenue in the small business channel through the sale of Project Services, Managed Services and Web Development. Throughout his tenure with NeXt IT, Shawn has developed and trained his staff on go-to-market strategies for various technologies including; Virtualization, VOIP/Collaboration, and Data Center Management. Shawn’s drive for professional growth has earned several credentials to add to his formal education from SUNY Brockport.
CLOUD COMPUTING, DATA and ANALYTICS , Fresh Ink, SECURITY