So for the time being let's set aside some of those pesky security consideration - hypervisor attacks, VM sprawl, etc and focus on VMotion. VMotion is used to move VMs from one ESX Server to another ESX Server while still maintaining uptime (basically the end user has absolutely no idea their backend VM is re-locating to another ESX server). The primary reasoning for this is ESX maintenance. As of right now, all VMotion traffic MUST BE UNENCRYPTED. Of course from a technical standpoint securing VMotion consists of creating its own VLAN and locked it down. Pretty secure when done correctly. But the big question still exists: will auditors and compliance officers less knowledgeable about VLAN security or virtualization throw up 'red flags' once they discover VMotion is cleartext?
The answer is not simple. In my experience, auditors and compliance officers don't know enough about virtualization to really put it under a microscope. Simply put, they don't even know VMotion exists. Unfortunately, by and large, a majority of evaluators haven't been trained to sufficiently deal with virtualization in the field. (Now of course, some auditors/compliance officers are better than others which truth be told I'd rather deal with someone that knows what they are doing instead of someone I have to end up 'training'.)
As the director of security and privacy for my company, I simply can't risk it and require my vmAdmins to find a different solution to transplant servers with sensitive information (in my case, PHI and PII). Unfortunately the current solution to migrate VMs off the ESX severs negates the high availability constant uptime component...as the VM will need to be taken offline and manually added to inventory on one of the other ESX servers. SLA anyone? Painful I know!
But because of the new HIPAA push (ARRA/HITECH) many of my processes are being scrutinized and I can't take the chance. As most Security-minded people know, you can't rely on sweeping the possible infraction under the carpet and "not getting caught." It's just a matter of time before the issue surfaces and if you are deemed negligent, your credibility will be damaged and chances are high you will undergo an enormous amount of additional scrutiny. So I'm choosing not to use Vmotion at this time.
A VMWare contact of mine said that securing VMotion using SSL encryption is fast approaching. That feature can't come fast enough for me.
Ryan Trost, author of Practical Intrusion Analysis, is the Director of Security and Data Privacy Officer at the industry’s largest independent provider of onsite health centers, where he oversees all the organization's security and privacy decisions. He teaches several InfoSec courses, including Ethical Hacking, Intrusion Detection and Data Visualization at NVCC. Ryan constantly works to cross-pollinate and enhance network security, GIS and data visualization. He is considered a leading expert in geospatial intrusion detection techniques and has spoken at several conferences, most notably DEFCON and SANS. Ryan has been a senior security consultant for several government agencies before transitioning over to the private sector. In 2005, Ryan received his MS degree in Computer Science from George Washington University where he developed his first geospatial intrusion detection tool.
Practical Intrusion Analysis:Prevention and Detection for the Twenty-First Century by Ryan Trost has been selected as the August, 2009, Cisco Subnet book giveaway (a $54.99 value). Visit the Cisco Subnet home page for giveaway details and entry forms.