Source: TheInfoPro survey with 214 security experts, November 2010.
Chanani and his colleagues currently have about 200 virtual servers, operating in the form of documents, printing, or in some cases, application servers. However, for security reasons, he does not use virtualization for ERP, databases or e-mail for his company.
Michael Israel, CIO of Six Flags Inc. re-show concern in another aspect. According to him, the most worrisome scenario is that 'cunning' administrators transfer virtual servers from the protected part to the non-secure parts of the normal server, or create virtual servers. New without licensing and integration. He said 'the last thing I want to find out is 25 external servers that I don't know are currently in existence'.
John Kindervag, an analyst at Forrester Research Inc. said he had heard some stories from customers whose VMware vCenter management software was compromised, from which attackers could copy a virtual machine and use this virtual machine to invade. data. He said, ' When you steal a VM software, you can hack into the data center and steal a piece of hardware. This will become a disaster indeed. '
Venu Aravamudan, product marketing manager for VMware Inc. said: ' We have been conducting research with our customers for years to solve this problem .' According to him, most users identify these types of risks by complying with best practices, for example by creating a separate network part to manage resources and control. The import trup is based on the position.
Integrating into virtual servers helps businesses save a lot of costs thanks to improved uniformity and efficiency, but when virtualization 'consumes' more and more servers produce a few IT directors start to feel anxious again. Is there anything overlooked here? Can some unauthorized intrusion destroy critical applications, or even the entire data center?
Kris Lovejoy, vice president of strategy for IBM Security Solutions and also a security consultant, said: 'One day, customers wake up and realize that 50% of all applications Your important business application is on virtual infrastructure and wonders to ask: 'Is this safe?'. This is a fairly common situation " .
The problem is not that it is difficult to protect virtual infrastructure, but that many companies still cannot adapt to the best practices (in case they have real standards). This practice) in new environments.
Problems exist
Virtualization requires technologies - including new software lines and controls. There are also new elements such as virtual transformation to help network traffic between virtual servers circulate in ways that can be tracked by tools designed to track traffic on the servers. normal network.
Moreover, virtualization also helps break down the traditional decentralization in the IT industry by allowing individual administrators to run virtualized servers with a single button without approval must be obtained from purchasing or managing input, storage, business maintenance groups or information technology security groups.
Meanwhile, according to Lovejoy, virtualization-based security technologies and best practices are still being developed. The market for these technologies is so widespread that customers cannot keep up with the standards of practice. There is still a lack of knowledge and skills in this area.
Bill Trussell, director of security research at TheInfoPro, an information technology market research firm in New York, said questions about security in a virtual environment are centered around the lack of availability. awareness, lack of control and concerns about potential problems. Another IT director is concerned about whether someone can attack the virtual infrastructure of the business and use this infrastructure to invade all servers. virtual on it? Or can an attacker invade a virtual server and use this server as a platform to attack other virtual servers, such as payment applications that are in the same hardware, but no administrator found out?
Eric Baize, RSA's floor security manager, said that concerns about such scary perspectives persist despite the fact that there has not been a virtual infrastructure attack yet. Which is confirmed.
When TheInfoPro conducted research for 214 security experts earlier this year, they discovered that one-third of experts felt "very worried or extremely worried" about security issues. a virtualized environment.
Concerns about an attack arise after Joanna Rutkowska's "Blue Pill" fake software at the Black Hat conference in 2006. However, since then, the IT industry has grown with the emergence of hardware technologies to ensure the integration of infrastructures, such as Intel's Virtualization Technology for Directed I / O (commonly known as VT-d) . Rutkowska, founder and CEO of the Invisible Things Lab, an IT security research firm, said that "Today, most of Intel's Core i5 and i7 processors have these technologies." and virtualization software vendors have switched to supporting these features. '
Rutkowska also had doubts about whether someone would actually use Blue Pill rookits to invade virtual servers."The attackers are not really aiming to use these sophisticated rookits, " she said, notably because the popular 90s rootkit technologies still work quite well in attacking systems. traditional practice.
Trussell said: 'People are more concerned about theoretical perspectives than perspectives that are really considered outstanding issues.'
But virtualization also carries risks if virtual infrastructure is not compliant and compatible with best practices. Security advisors said that learning has discovered a series of security issues on customers' websites. Lovejoy is seeing the existence of counterfeit software related issues between websites that arise due to inefficient creation of virtual machines. She said: 'In general, these virtual machines will contain fake software or contain errors that can be easily detected. This has happened once. Now, virtual machines are being used extensively and creating a lot of trouble for users. '
RSA's Mulé adds: 'We are seeing a lot of unresolved issues'. He said he often found lax management standards for virtual machines, as well as user names and passwords that could be easily speculated in management programs that allowed full access to the facility. Infrastructure. In addition, 'we also sometimes realize that virtual device management tools are in the wrong place of the firewall'.
Using the default password when creating new virtual servers is very common, said Harold Moss, CTO of IBM Security Solutions cloud security strategy, and those responsible for administering new machines infrequently change those passwords. Intruders can access a machine, guess the password and gain full control.
Besides, because virtual device images are data, program codes are stored in the hard drive. These programs must be protected. Vauda Jordan, Phoenix City's security expert, said: 'You don't want someone to control the entire server with just one USB.' She said the city is using a combination of common security programs, network storage access control, document integration monitoring to protect virtual devices.
Traffic between virtualization devices is also another concern due to firewalls, unauthorized intrusion protection and protection systems and other tracking tools that cannot show whether virtual devices whether to run on the same hardware or not.
With VMware's ESX server and other important virtualization platforms, the data circulated between virtual devices will not be encrypted. Aravamudan believes that VMware is very interested in encryption, but refuses to answer when its products have encryption functions.
Systems like VMware's vShield and other third-party tools can create firewalls that help break VMware, XenServer, Hyper-V devices and other virtual devices into different security zones but not All businesses must do this. For example, creating security zones is not a focus of Rent-A-Center. However, when the virtual infrastructure increases, creating security zones is extremely necessary.
Some existing firewall tools may appear in virtual server traffic, but in other cases, IT departments need to insert specific virtualization tools. This also makes management more complicated.
Better to have a tool to connect between common environments and virtualization environments, says Neil MacDonald, an analyst at Gartner Inc. However, until traditional security tool providers can keep up with the transformation, the IT department may need to put into use tools that are less well known. rather than distributing such as Altor Networks, Catbird Networks and HyTrust, which are designed to be used for virtual devices.
According to Mulé of RSA, more importantly, the core network architectures need to change to fit virtualization. He said, 'Network systems that are compatible with conventional servers do not necessarily have to be compatible with virtual devices. Security can be improved if links, secondary network systems and virtual LANs are set up . " He also said that most businesses cannot continue to operate in virtual installations. Chemicalization can cause additional network design errors.
Matthew Nowell, senior systems expert at Six Flags, uses virtual affiliate networks to split servers. He said that 'Based on our set of path rules, we can determine whether these rules are compatible with each other'.
However, MacDonald also recommends that 'VLAN networks and path-based access controls themselves cannot match security splits'. The research firm's guidelines also require the exploitation of several types of virtualization firewalls.
People who implement virtualization.
Third-party vendors like Trend Micro Inc. is launching the software market to support the security of the software layers. However, some experts worry that virtualization floors are becoming more and more dense and complex and will become hackers' attacks.
Jordan, an employee of the Phoenix city government, assures that system administrators have separated each virtualized server from their own security areas. She said: 'I have to fight with server administrators who swear to swear down that hypervisors can do that thanks to virtualization. (Hypervisor is a very small software layer present right on Intel-V or AMD-V processor). But I believe in firewalls rather than believing in hypervisors'.
Security from the beginning
RSA's Baize believes that security for a virtual infrastructure is not just about buying more devices.'There are many virtual infrastructure control devices on the market. What is missing here is how to understand and apply those controls. '
The best way to create a secure virtual infrastructure is through the help of security experts as soon as possible. Gartner estimates that about 40 IT companies are not looking to security experts from the start, but often until their virtual systems are built and live online.
The problems become more pronounced when important applications are included in virtual devices. McDonald's said: 'When users start paying attention to virtual software like SharePoint, Exchange or ERP, they are actually using sensitive data. That is a problem. '
Condit also said it was time to have security policies. As to how quickly virtual servers can be created and moved between conventional servers, he said, 'Without a strict security policy, the virtual infrastructure will be fast. quickly reveal weaknesses'.
The concern of CIOs is completely reasonable. Condit said: 'A reasonable paranoia is a good thing.'
Tips for the staff
Full-time administrators should be cautious
In an uncontrolled, controlled environment, administrators are the ones who hold all the power, and according to consultants and IT directors, this is not a good thing. Vauda Jordan, a security expert with the Phoenix city government, said: 'This is the key for server administrators to penetrate all areas and in most cases don't understand the security risks.'
For example, administrators can create new FTP virtual servers, or they accidentally use the virtual device integration tool to transfer a server to another hardware for technical maintenance reasons without notice that the new path is on an unsecured network module.
Andrew Mulé, RSA's security consultant, said that another serious problem is the failure to apply standards of practice or unable to separate virtual infrastructure into clear parts. .'Users often do not like decentralized practices. They only empower a few people '. He proposes creating a rigorous management change process that shows changes in management.
KC Condit, Rent-A-Center's information security director also agrees.'The virtual world has no inherent decentralization, so users will have to build these levels of authority' themselves. Change management, format management and access are essential elements to protect virtual infrastructure.
Compatibility is also another worrying issue. Jean - Louis Nguyen, a systems engineering executive at the Council of Europe Development Bank, said he needed to monitor activities to ensure that administrators of 140 virtual machines complied with the requirements and regulations. management. His bank is conducting a trial of VMware but they need a better way to integrate information. The bank also used HyTrust to set up a fully separated virtual environment for key security personnel to use. These employees will be able to monitor the entire virtual and common server infrastructure.
According to Nguyen, 'the key issue is to ensure that no administrator abuses power. We need to be able to firmly manage the systems and not expose the data '.