People, process limitations hamper x86 virtualization, IBM security expert says

Virtualization opens new attack surfaces, regulatory risks

X86 virtualization is not ready for highly regulated, mission-critical applications, IBM security expert Joshua Corman argued at Interop Las Vegas this week.

X86 virtualization is often a risky proposition for highly regulated, mission-critical applications, because people and processes are not ready for virtualization and the security risks it introduces, IBM security expert Joshua Corman argued at Interop Las Vegas this week.

In addition to security threats to the hypervisor and the virtual machines it controls, virtualization makes it difficult to meet strict regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS), Corman told attendees in a session on virtualization.

Slideshow: Cool new products unveiled at Interop

For enterprises that are just getting started with virtualization, it's best to start out with minor systems, and work your way up to mission-critical applications, he said.

"If you have a choice, I highly recommend you don't adopt virtualization for any regulated project," said Corman, who is principal security strategist for IBM's Internet Security Systems division. If you're going to make mistakes, it's better to do so on less critical systems.

Virtualization brings new attack surfaces, operational and availability risks, and increased complexity with features like live migration, he said.

That's probably not the message virtualization vendors like VMware want to hear. VMware is tackling security with VMsafe, a set of APIs that will give partners more direct control over the hypervisor, letting them build more effective security products.

Corman credited VMware with limiting the hypervisor's attack surface by stripping out millions of lines of code, leaving the hypervisor as a 32MB software package with 200,000 lines of code. "One of the design principles of the hypervisor is to be incredibly lean and mean, to do the bare minimum possible," Corman said.

But this also means that the hypervisor's job description does not include performing encryption, he said. This leaves open the possibility of man-in-the-middle attacks such as Xensploit, which intercepts unencrypted data when virtual machines are migrated between physical servers.

Live migration features that move virtual machines from one physical server to another open up new attack possibilities, Corman said. Is your virtual machine moving to a less secure server? That's one of the questions data center managers must ask.

PCI DSS adds confusion to the process. The regulation says each server should only have one primary function, Corman said. That could be taken to mean that servers shouldn't be virtualized at all, or that applications shouldn't be mixed with databases. In general, Corman argued that regulation distracts IT from actual risk.

"We've become so burdened with compliance and regulatory controls that we've given up risk management," he said. "Way too often, people have a perfectly PCI-compliant data center, they virtualize it and then they fail."

By default, virtualization reduces your security posture, Corman said, but he offered several pieces of advice. Never use a Type 2, or hosted, hypervisor for production applications, he said. Type 2 hypervisors are typically free products that are meant for test and development, he said. Only Type 1, bare-metal hypervisors that run directly on the hardware should be used in production, he said.

Security tools should be installed in every guest virtual machine. IT pros also have to be vigilant about applying patches. Say you have a virtual machine that is only needed two months out of the year and is taken offline the other 10 months. If it's turned on again without being updated, that introduces more risk.

"That pesky little Conficker worm that every other server is immune to, they're not," Corman said.

Production applications shouldn't be placed on the same physical server as test and development ones, Corman said. Applications have different requirements based on their level of importance, and "we have to be worried about isolation and segregation," Corman said.

Corman warned about focusing too much on well-known exploits such as Blue Pill, which he said is not as serious as many of the threats that haven't garnered media attention. He also said to be wary of the many new start-ups tackling virtualization security. Most focus only on a narrow part of the attack surface and should be viewed with scrutiny, Corman said.

"If you think just buying one of these things and slapping it in your virtual environment will work, you will be sorely disappointed," he said.

Join the discussion
Be the first to comment on this article. Our Commenting Policies