Andrew Buss, originally published on The Register
Virtualisation has become an established trend in the x86 server market and is moving into the desktop and notebook space too. It’s a great tool for providing flexibility, recoverability and consolidation.
But virtualisation also brings challenges, and security is certainly one of them. Personal or financial data that should be deleted may be retained in libraries of offline virtual machine images. Loading up an old image that has been stored for some time may expose the network to threats from unpatched security holes or out-of-date applications. But while virtualisation brings its own issues, it can also provide the opportunity for fresh thinking to provide a new security paradigm.
There are two sides to the virtualisation coin. On the one hand, virtualisation as a technology brings so many changes to established ways of implementing IT that ensuring security in the face of this massive upheaval is a challenge. On the flip side, virtualisation can also allow new ways to approach security by enabling quick recovery from issues such as system compromise and malware infection, as well as providing secure virtual desktops or applications to use on remote, possibly untrusted workstations.
Virtualisation liberates the operating system and installed applications from the underlying hardware. While great for flexibility of deployment, it also raises serious issues for securing systems. Previously, the operating system and applications would have resided on a physical disk or in a set location, and have been tied to the hardware of the host, usually a server but also possibly a workstation or PC. Taking the operating system and attempting to load it on a new machine would often cause issues, necessitating lengthy re-installation or recovery in order to access applications or services.
Virtualisation, particularly in the latest iterations, makes it a snap to bypass the issues that previously kept systems and data static and therefore relatively secure by process of physical containment. But with virtualisation each system and related applications is stored as a nice, convenient self-contained image file. It is a cinch to take a copy of an image and load it up in a virtual machine host. This may be internally within the data centre, but equally it is possible to do so in a test environment and outside of the company.
Although virtualisation allows point and click deployments, this freedom should not be allowed to encourage a free for all to deploy new systems at will. Staff behaviour and policies and procedures should be geared around proper change management to keep on top of the proliferation of virtual servers.
Protecting virtual machine images is therefore an important security priority. Access to them should be restricted to authorised personnel only and an audit procedure for access and use implemented. It is also necessary to take steps to ensure that virtual images are protected should they be lost or copied. Encrypting the virtual machine images is one step, as is restricting the pool of virtual machine hosts that are able to boot the image.
Data protection responsibilities must also be considered. The ease with which virtual machine images can be copied provides an ideal way to set up realistic test environments and staging areas. However, use of personal data in a test environment must be appropriate, as data protection legislation does not allow live personal data to be used within test systems. Live data may only be used for ensuring the ability to recover live systems, such as verifying that a restore procedure works. Companies that set up test or staging systems using copies of real systems and real data must have a system in place for anonymising or randomising data so that it is not possible to use it for personal identification.
As the library of virtual machines expands, various issues of management and process arise. For systems where data is kept together with applications within the virtual image, it is necessary to track the storage of the data, and ensure that issues such as periods of data retention or purging are adhered to for governance and compliance. Knowing exactly what data is stored within each offline image will also be important in cases of legal discovery.
As time passes, the images in the library become progressively more out of date and less secure. Companies need to be able to track and manage virtual machine image libraries in much the same way as the live server estate. They must try and do this in a way that is as automated as possible and does not put a strain on the infrastructure in the process. Having to load virtual machine images in order to perform security will have major impacts on time, licensing and hardware.
The ability to upgrade applications, install patches or manipulate data automatically while keeping the virtual machines offline will be the goal. This will help to ensure that should images from the library need to be loaded and run, that they are secure immediately they are needed.
A key challenge for the virtualisation generation will be how to architect security for a fully virtual stack. Over time, applications will increasingly be distributed and installed as virtual machine images with an optimised operating system. These applications will communicate via virtual network interfaces rather than shared memory or intra-OS APIs. It makes less and less sense to install full-blown security applications for every virtual machine. The workload would be quite redundant in many cases, and would eat power, impact on performance and increase cost.
An effective virtual security solution would run in all tiers of the virtualisation stack. At the lowest level, a security application would run in conjunction with the hypervisor and be able to access virtual hardware such as virtual switches and disks. Then there may be virtual machines dedicated to running security applications that provide a pooled security resource for many virtual machines. And finally lightweight optimised agents may run where necessary to secure particular applications within the virtual machines.
One of the big security advantages of client-side virtualisation is the ability to effectively roll back systems that may be compromised by malware. Many vendors have in the past invested in tools to provide for system and data recovery in the event of catastrophe. Although designed in the main to protect users from the effects of accidental actions such as file deletion, they can equally help to restore systems compromised by malware. Such systems were most often proprietary and required specific hardware, training and management, raising the cost of implementation and ownership.
Virtualisation support and standard images reduced many of the barriers to deployment of system rollback. When coupled with new management features that allow remote control it also reduces the cost and increases the effectiveness of remote user support and recovery. Such systems enable a roll-back to a known good, uninfected state. Virtual image restoration may also help recover from issues where security applications get a bit over-zealous and remove critical systems files accidentally. But it’s vital to recognise that it’s also possible to revert back to a prior state that may be infected, so security needs to remain a priority to ensure the integrity of the stored images.