Virtualization and security - are we missing the wood for the trees?

Paul Stamp

I've sat through a number of presentations and sessions about security and virtualization in recent times and can't help thinking that people are falling into the old trap of going after the possible rather than the probable.

Most discussions I've seen around security and virtualization center around subtle threats to the hypervisor layer, and whether its possible to jump from one virtual machine to another. Then there are the circular discussions about whether its provably more secure to perform AV and intrusion inspection from inside the virtual machine, or have the host perform all the functions.

All pretty tedious if you ask me. I reckon we've some much bigger problems in a virtual world.

Isn't it more of a problem that in a virtual world its harder to keep track of what business activities happen where? Isn't the patch and vulnerability management process exponentially more complex when you're instantiating and destroying virtual machines left right and center? How do you determine what risks you're introducing if you move a virtual machine from one place to another? How do we track all this and demonstrate it to our friendly auditors when they come a-knocking?

I reckon we need to elevate the level of conversation to talk about the real risk consequences of virtualization, and what it does to the security business model.

Don't get me wrong, we do need to consider these more subtle virtualization threats, but rather than talking about them in isolation, we can incorporate them into wider conversation. This can then include the slew of new deployment, implementationm and licensing options virtualization introduces for security services, and devise a more business oriented way to establish who does what, where, and when for optimal security and cost.

Comments

re: Virtualization and security - are we missing the wood for t

Paul, I'm very glad that you have brought this to light. Many of us in the Virtualization management space have been blogging about the inherent nature of virtualization's predisposition to security issues around mobility, lineage, portability, and configuration drift. There is no doubt security best practices need to be instituted at a much broader layer than just using commoditized security products. Security needs to be considered from an application owner’s perspective, taking into account the transient nature of virtual machines.

re: Virtualization and security - are we missing the wood for t

Hi Paul,Media hype aside, the security risks from highest to lowest probability:1. Misconfiguration or defect due to human error2. Malicious insider/abuse of privilege3. Successful blue pill attack by outsider#1 happens all the time.#2 happens every year to almost any company with more than 500 employees.#3 might happen some day and will get all the press when it doesWith proper configuration and implementation of security for the virtual infrastructure. Virtual is more secure than the real.However, without good implementations, virtualization will compound these risks because of increased rate of change, lack of visibility and loss of implicit controls.As we see more production virtualization workloads, I see a lot of security practices being dropped at the boundary to the virtualized data center. This will have far reaching consequences for anyone who really cares about data protection and compliance.