I prepared this presentation for an ISACA event and realised it is applicable to a much wider audience:
The business benefits of virtualisation are fantastic in terms of costs savings, agility in delivering services and business resiliency. It enables organisations to spend less on hardware assets and use their existing hardware more efficiently by running multiple machines on a single piece of server hardware without significant degradation in performance. Industry and vendor studies indicate up to 50% savings in IT expenditure.
An organisation can also run just the number of servers they need at any time, with demand led increases possible at short notice simply by enabling a new virtual machine. This is a further driver for virtualisation today as data centre power costs are significant to any large organisation and a reduction in the number of servers needing power and cooling offers a direct saving in bottom line costs. Studies indicate savings in energy costs through server virtualisation can reach 75% for a typical mid-sized organisation.
What are the risks?
Segregation of systems and data
Security around the standard organisational architecture is quite well understood, with acceptance that there are layers of security based on risk or impact levels, or around the value placed on particular assets – a key end result being separation: keep unauthorised individuals out, restrict an individual’s access to that which they need to do their job and host data of differing sensitivity on networks with different levels of protection.
Virtualisation can break this model – imagine your HR database and customer database virtualised onto the same environment as your web servers. All of a sudden the data which was once hidden behind layers of firewalls and network controls may be vulnerable to a smart attacker who gains access to the web server and finds an exploitable vulnerability in the virtualisation layer.
The same is true for servers hosted for customers – in the past, good practice kept these separate where possible. Now the segregation between different customers may be no more than between adjacent areas of memory or hard disk. This may not be appropriate for environments with differing risk, threat or impact ratings, for example external web servers and internal databases.
This also means that all servers or applications in the same environment should be secured to the same level, which means patch management becomes very important.
Segregation of duties
Consolidation of systems also introduces a risk of a loss of segregation of duties (SOD). It increases the risk that both system administrators and users could potentially (and unintentionally) gain access to data that are above their normal privilege levels. Administration of the internal virtual switch is also a concern, thus introducing a conflict between server administrators and network administrators and therefore potentially compromising the SOD between the two groups.
Licensing and asset management
The ability to rapidly deploy new virtual infrastructure at short notice raises challenges around licensing. Virtualising applications and servers is often implemented by copying an instance of a server and this instance is recreated on the virtual host. When further capacity is required new instances are created, but as these can be very time dependent, the licensing model has to be updated to ensure that an organisation only runs applications they own a licence to (or that don’t require a licence in a virtual environment.)
This applies also to inventory – a virtual server is just as much of an asset to the business as a physical server, but with the number of virtual servers fluctuating with demand, how do you manage your assets appropriately?
Although virtualisation can improve resiliency, there is also a risk if implementation is flawed. If several key services are hosted within the same physical device in a single virtual environment then failure of the hardware device would impact several services simultaneously.
When consolidating servers, consideration should be given to distributing business critical applications with high availability requirements across physical server instances. There should be no single point of failure for a service and the use of anti-affinity rules should be considered to ensure resilient virtual machines within a service are kept on separate infrastructure hosts.
Maturity of tools and security awareness
While some virtual environments (such as the IBM LPAR architecture on mainframes) are considered mature, there is now a range of products in this space which have not been through the same level of development and which run on platforms less suited to multiple user segregation, and while there has been large scale development of PaaS platforms based on Xen, VMware and others, treating these as secure by default may not be appropriate for your business.
Another major risk around security awareness is that virtualisation is moving forward in some organisations without the knowledge or active participation of Information Security.
Administrators need to look at the particular security requirements prior to building a virtual environment in order to use the correct tools and security configuration to support the business requirements in an appropriate manner.
Information Security involvement is critical at these early planning and architecture decision stages.
Communication and Storage Security
Sensitive data being transmitted across networks should be encrypted where possible and supported by the hypervisor. Encryption should be implemented for traffic between the hypervisor, management networks and remote client sessions and MUST be for virtualised DMZ environments.
Virtual disks are used to store the operating system, applications and data and also record the state of the virtual machine. Virtual disks (including backed up copies) must be protected from unauthorised modification.
Where virtual disk password protection features exist, they should be enabled.
Restrict disk shrinking features which allow non-privileged users and processes to reclaim unused virtual disk space as this may cause denial of service to legitimate users and processes.
Auditing, logging and monitoring
Enable security logging and monitoring on all virtual machines and hypervisors according to approved operational standards.
Hypervisors must be configured, at a minimum to log (failed and successful) login attempts to management interfaces.
Activities of privileged hypervisor and VM accounts (for example, the creation, modification and deletion of roles) must be logged and reviewed.
- Understand all the key IT controls in the existing environment before virtualisation
- Understand virtual platform controls and configure for security
- Replicate IT controls in the virtualised environment
- Implement an asset management system which can cope with high volatility
- Work with software and hardware vendors to understand licensing implications
- If outsourcing to a cloud vendor, choose one that can match your data location requirements and build in a robust reporting framework
- Rearrange your support teams to suit the new environment, but during the transition it is likely that the learning curve will be steep as new tools are used, and back office and front office support teams are created anew
- Use a compliance and governance model which can manage the concepts of changing security boundaries and levels
- Ideally work with a service provider who has done it before!