There’s no question about the benefits of server virtualization. Along with virtualization comes maximized resources, fewer costs, and other positives. However, as with everything technology related, there are also server virtualization risks, mainly related to security.
It’s important to be aware of these issues so you can properly mitigate against them. The number of IT professionals implementing server virtualization continues to climb to where it almost seems ubiquitous now, although some are still putting off learning this new technology because of adoption concerns.
Although this was performed in 2014, the Global IT Security Risks Survey performed by Kaspersky Lab showed that 43 percent of respondents (out of 4,000 total) claimed that security concerns were stopping them from using virtualization.
Among those same participants, 41 percent agreed that they “struggle to manage the security solutions in [their] virtual environment.” The real problem comes in when 46 percent of respondents believe that conventional security solutions protect virtual environments just as well as physical environments.
Additionally, “only one out of every three IT security experts expressed a ‘clear understanding’ of light agent and agent-based virtualization security” while “only one out of every four expressed a ‘clear understanding’ of agentless virtualization security.”
Beyond this, 36 percent believed that virtual environments have fewer security concerns than physical ones. Because of this, more than half admitted that their company has not fully implemented security solutions for their virtual environment.
We can assume that these numbers have improved in the past years, with IT professionals becoming more aware of the concerns that face virtualized servers.
Today, malware exists that “specifically seeks out and targets virtual environments — including an ability to reside in memory and hop from one virtual machine to another to avoid being removed even if the entire virtual server is wiped out and rebuilt.”
Server virtualization risks: Main security issues
Our virtual environments are certainly just as risky as physical environments, and it takes different precautions to secure these virtual servers. Cloud Security Alliance released a white paper detailing the top 11 server virtualization risks and explaining how to best mitigate against these problems.
These common issues regarding virtualization happen regardless of your vendor or architecture, according to the CSA, and generally fall under either architectural, hypervisor software, or configuration problems.
The most prevalent issue that is seen creeping up when virtualizing multiple servers is virtual machine (VM) sprawl. The whitepaper found that “Uncontrolled proliferation of VMs can lead to an unmanageable condition of unpatched and unaccounted-for machines.”
Essentially, VMs are so simple to create and push out with today’s new technology. This is certainly a positive aspect of VMs that benefits users. But if the administrator does not understand how to manage this many machines, problems can occur.
Additionally, moving VMs from one physical server to another “creates audit and security monitoring complexity and loss of potential control.”
Whether you have too many different types of configurations among your different machines or you duplicate machines and then forget about them, you can leave your VMs falling sadly behind when it comes to managing, patching, and securing them.
Without frequent patches, the machines become more vulnerable to attacks, greatly weakening the security of your whole infrastructure. Some users believe that because VMs are isolated on the network, their security isn’t important. However, not patching your virtual machines still creates a vulnerability in your network that hackers could take advantage of.
There are certain steps you can take to make sure VM sprawl doesn’t add to your server virtualization risks. This includes:
- Put proper lifecycle management tools in place (including self-service and automated scripts).
- Use a formal change management process and tools to control the creation, storage, and use of VM images.
- Make sure you have updated guest operating system images stored separately to use for fast system recovery and restoration.
- Discover, classify, and implement appropriate security controls for each VM and its associated network connections.
- Patch and secure configuration changes with management solutions.
Hijacking through the self-service portal
Self-service portals can help administrators gain access to particular parts of your virtual infrastructure. The problem with this begins if you create too many portals, as this can increase your susceptibility to account or service hijacking, as well as other risks.
If you grant more administration privileges than there should be, there is not a strong authentication control, leading to vulnerabilities.
According to CSA, there are some simple solutions you can implement to control this potential security breach, including:
- Be very selective about which users need access to which parts of your infrastructure.
- If possible, use multifactor and/or split-control authentication.
- Detect unauthorized activities through proactive monitoring.
- Securely manage accounts, identities, and credentials.
Cloud service provider API risks
If enterprises employ a hybrid cloud approach, as many today do, it could be challenging to safely merge their private and public cloud infrastructure services. This is because “enterprise identification, authentication, policy management, and governance framework(s) may not naturally extend to the public cloud.”
Enterprises manage and interact with cloud services through their APIs, so it’s important to make sure that these interfaces are properly designed to protect you and your data against any risks, both accidental and malicious.
Some of the ways you can mitigate against these server virtualization risks include:
- Using two diverse authentication zones for internal and external systems.
- Have encrypted transmission with strong authentication and only grant specific access control.
- Use a private or out-of-band encrypted channel to transmit Active Directory traffic rather than sending it with normal Internet traffic.
Other important risks outlined by CSA include:
- Sensitive data within a VM.
- Security of offline and dormant VMs.
- Security of preconfigured (golden image) VM/active VMs.
- Lack of visibility and control over virtual networks.
- Resource exhaustion.
- Hypervisor security.
- Unauthorized access to hypervisor.
- Workloads of different trust levels located on the same server.
It’s imperative to be aware of all risks facing an infrastructure that includes server virtualization, as well as the best practices for making sure that you stay protected from each risk.
Photo credit: Pixabay