People, process limitations hamper x86 virtualization, IBM security expert says

X86 virtualization is often a risky proposition for highly regulated, mission-critical applications, because people and processes are not ready for virtualization and the security risks it introduces, IBM security expert Joshua Corman argued at Interop Las Vegas this week.

In addition to security threats to the hypervisor and the virtual machines it controls, virtualization makes it difficult to meet strict regulatory requirements such as the Payment Card Industry Data Security Standard (PCI DSS), Corman told attendees in a session on virtualization.

Slideshow: Cool new products unveiled at Interop

For enterprises that are just getting started with virtualization, it's best to start out with minor systems, and work your way up to mission-critical applications, he said.

"If you have a choice, I highly recommend you don't adopt virtualization for any regulated project," said Corman, who is principal security strategist for IBM's Internet Security Systems division. If you're going to make mistakes, it's better to do so on less critical systems.

Virtualization brings new attack surfaces, operational and availability risks, and increased complexity with features like live migration, he said.

That's probably not the message virtualization vendors like VMware want to hear. VMware is tackling security with VMsafe, a set of APIs that will give partners more direct control over the hypervisor, letting them build more effective security products.

Corman credited VMware with limiting the hypervisor's attack surface by stripping out millions of lines of code, leaving the hypervisor as a 32MB software package with 200,000 lines of code. "One of the design principles of the hypervisor is to be incredibly lean and mean, to do the bare minimum possible," Corman said.

But this also means that the hypervisor's job description does not include performing encryption, he said. This leaves open the possibility of man-in-the-middle attacks such as Xensploit, which intercepts unencrypted data when virtual machines are migrated between physical servers.

Live migration features that move virtual machines from one physical server to another open up new attack possibilities, Corman said. Is your virtual machine moving to a less secure server? That's one of the questions data center managers must ask.

PCI DSS adds confusion to the process. The regulation says each server should only have one primary function, Corman said. That could be taken to mean that servers shouldn't be virtualized at all, or that applications shouldn't be mixed with databases. In general, Corman argued that regulation distracts IT from actual risk.

"We've become so burdened with compliance and regulatory controls that we've given up risk management," he said. "Way too often, people have a perfectly PCI-compliant data center, they virtualize it and then they fail."

By default, virtualization reduces your security posture, Corman said, but he offered several pieces of advice. Never use a Type 2, or hosted, hypervisor for production applications, he said. Type 2 hypervisors are typically free products that are meant for test and development, he said. Only Type 1, bare-metal hypervisors that run directly on the hardware should be used in production, he said.