This article on Dark Reading presents several security risks created by virtualization - at least according to a few experts. I think they are neglecting to mention enough of the security benefits that virtualization technologies (such as VMware and Xen) can provide. In my mind, the advantages of virtual machines outweigh the few added risk areas that are listed.
Yes, the hypervisor is a “new layer that’s another opportunity for attack.” However, if you convert 10 physical servers into 10 VMs running on one hardware platform, you just decreased your exposure on the hardware and physical security side from 10 to one. That’s especially true if the servers were running on disparate hardware platforms, which is often the case. You would have fewer drivers to worry about updating, and require less floor space in a secure data center.
There is also the mention of “VM sprawl” in the article. The idea is VMs will pop up out of no where and be unmanaged and unprotected, since the proper security controls will not be in place. In my experience, I have not seen enterprise VMs created by accident or somehow without the VM administrators knowledge. Sure, someone can download VMware Server and load up a virtual machine on his laptop. But that’s no different than the problem of users downloading other unauthorized software - you have to try to prevent it with policy and technical controls on the workstation.
In fact, I believe VM technology will improve our ability to manage servers, and keep our security policy enforced. Using a product like VMware ESX, you can configure a “template” VM, and deploy it as many times as needed. For example, you can make a template for your standard Windows 2003 server, with all the patches, configuration settings, security tools, and typical applications - then deploy it 10 times, and you’ve got 10 good servers up and running. There’s one less excuse for not having time to properly setup security before deploying a server.
Overall, I’m glad this topic is making some headlines, to get those of us in the infosec world thinking about virtualization. As always, there are trade offs that need to be taken into account.
Post a Comment