Securing virtual environments

Not surprisingly, organisations of all sizes are now rushing to embrace the virtual world, and market analyst Gartner expects last year’s global virtual machine population of 540,000 to exceed 4 million by the end of 2009, when virtual machines will account for 20% of the world’s server base.

Nevertheless, virtualisation’s conquest of the corporate IT infrastructure is incomplete. Despite its astonishing market growth and the near-universally positive experiences of its early adopters, virtual machines are still not widely adopted as trusted platforms for SAP, Oracle, Exchange and many other mission-critical enterprise applications that are the backbone of modern businesses.

Before this can happen, organisations must be convinced that virtual systems can be at least as secure as the conventional physical systems they replace – something that the main source of virtualisation technology, the renowned VMware, set out to address at its inaugural European user conference in February with the unveiling of a new security platform, VMsafe.

Until now, security has not been a high-profile issue in the virtualisation software market. But with more than 100,000 customers, including 92% of the Fortune 1,000, already using its virtual machine server products, VMware knew that this lack of attention was unlikely to last for very much longer.

So far, says Martin Niemer, VMware’s senior European product marketing manager, sales of virtual machine servers have been driven largely by issues connected with cost saving. However, as more customers approach the second phase of their virtualisation deployment, they are inevitably coming to the conclusion that many of the advantages that virtual machines offer to second-tier applications – like live server migration, dynamic capacity management and better physical resource utilisation – are equally, if not even more, advantageous when used to support major enterprise systems.

Now, customers are beginning to consider placing “their most important eggs in our [virtual machine] basket”, says Niemer, but as they do so, cost reduction is no longer their overriding issue. Instead, “if you are an SAP administrator, you are more likely to be devoting your time and money to ensuring that the company is up and running 24 hours a day”, adds Niemer. That includes ensuring that the underlying systems software supporting the business’s key systems are as secure and protected as possible from malicious attacks and interference.

Cause for concern?

The subtle but accelerating shift in virtualisation users’ priorities from cost-saving opportunities to issues of systems security has raised few alarms so far.

A handful of academic papers have examined how – in theory – virtual machine security might be compromised, but no real-world examples of such breaches have come to light, and most experts agree that there is no reason why a virtual machine should be intrinsically less secure than a conventional platform.

Still, as virtual machines have become more widespread, their security credentials have inevitably come under closer scrutiny and, just as inevitably, some experts have uncovered grounds for concern.

Attack surface

Last year, for instance, Neil MacDonald, a Gartner vice president and fellow, became one of the first serious independent observers to raise awareness of virtualisation security issues when he warned of the potential risks connected with a “rush to virtualisation”. Like any new technology, MacDonald argued, virtualisation introduces new and potentially unproven elements into the enterprise IT infrastructure – expanding the “attack surface” available to malware authors and other hackers.

In the case of virtualisation, one of these new elements – the hypervisor layer that usurps so much of the operating system’s traditional systems resource management responsibilities – also happens to be in charge of highly ‘privileged’ components. The hypervisor might be very difficult to ‘crack’, but if its components were to be compromised, the consequences could be disastrous.

However, dire as the threat posed by a compromised hypervisor may be, it is not the aspect of virtual systems security that has given security experts such as MacDonald the greatest concern. That distinction belongs to the peculiarly ‘containerised’ nature of virtual machines – a characteristic that severely reduces the ability of conventional systems security tools to monitor and regulate the internal process of host operating systems and the internal virtual LAN traffic.

Once again, according to security experts such as Paul Simmonds, a management board member of independent security think tank the Jericho Forum, the inability of conventional security tools to monitor the internal processes of virtual machines is not itself evidence that virtual machines are insecure.

Instead, says Simmonds, “the problem now is that you can’t prove whether something is secure or not. In the old days, when you installed a firewall that had one wire going in and one wire going out, you could put a tap on that wire and know with confidence that what was going in at one end was the same as what was supposed to come out at the other end.”

In a virtualised environment, there is no effective means of monitoring the traffic that passes between the dozens or even scores of virtual machines that might share a single set of resources.

In these circumstances, says Simmonds, “my hypervisor might not be corrupted, and none of my virtual Windows machines may have been compromised – but how do I know?”

Providing customers with tools that can answer such questions, and so giving them certainty that they can trust their most important applications to virtual environments, is a key goal of VMsafe, but it is far from being the scheme’s only aim.

According to Nand Mulchandani, VMware’s senior director of product management and marketing, VMsafe will not simply accelerate the delivery of new tools geared to the needs of securing virtual systems: “It will permit the development of tools that exploit the power of virtualisation to make it even more difficult for malware authors to compromise Windows and other operating systems.”

Ironically, what Mulchandani calls the “power of virtualisation” is actually the same quality of hypervisor-based isolation and containerisation that has caused such concern to experts such as MacDonald and Simmonds. It is the source of the ‘blindness’ that has made conventional security tools ineffective in the virtual world but, in the future, it will also be the means of empowering security tools in ways that have never been possible before.

The key to this conversion of the hypervisor from a security risk to a powerful security-enabling platform is the two application programming interfaces (APIs) contained in VMsafe’s technical specification. Between them, these two APIs offer third-party toolmakers the level of access to the hypervisor that they have enjoyed for the operating system.

“With VMsafe, everything that the hypervisor sees, such as memory pages and CPU state, will now be open to the scrutiny of the security tools. Previously, we did not allow [security tool vendors] to do this. Now we are allowing them to insert their products directly into the hypervisor,” says Mulchandani.

The opportunities that this open access to hypervisor services offers to security vendors should not be underestimated. As well as being able to monitor the internal processes of the virtual world for the first time, third-party security tools can begin to take advantage of the other benefits that go with working against a hypervisor – such as dynamic, scaleable access to underlying physical resource capacity. Such tools are no longer limited to protecting a narrow set of locally deployed services. Instead, they have the oversight and the capacity to protect entire populations of virtual machines, while being safely protected from intrusion within their own virtual machine environment.

“It will be like having a bank guard in a helicopter,” says Mulchandani. “Before you had the helicopter, you had to protect the bank by putting a guard on every door. That might not always have been possible, and you ran the risk of the guard being compromised by someone holding up the bank. Now you can see everything that goes in and out of the bank from one safe place and, if you do see something wrong, you can swoop down and stop it.”

Rebalance of power

In fact, it will still be some months before a new generation of VMsafe-enabled security tools begins to ‘swoop’ on potential threats to the virtual world.

Although VMsafe’s announcement was accompanied by a chorus of endorsements from more than 20 leading and emerging security vendors, even companies such as McAfee, one of VMware’s closest security partners, are only now beginning to work with the final VMsafe specification. The interfaces themselves will not be available on the market until VMware delivers the next major release of its hypervisor, ESX, towards the end of this year.

However, if VMware and its allies are to be believed, the products enabled by VMsafe should be worth waiting for, and there should also be plenty of them. Indeed, according to industry executives such as McAfee’s chief science officer, George Heron, and Check Point’s European MD, Nick Lowe, VMsafe represents an important step towards redressing the balance of power in the IT industry’s perennial arms race with hackers and cybercriminals. In recent years, as malware toolkits and Trojans have become more sophisticated, there has been a growing perception that the balance of power has been tilting inexorably in favour of the increasingly organised criminal gangs that have supplanted ‘talented’ teenage malcontents as the chief adversaries of IT security professionals.

More sensitive

Now, however, says Heron, the IT security industry has access to a new class of weaponry. “VMsafe offers security developers a technology framework that provides visibility into what’s happening in the virtual machines on a computer. With this kind of event monitoring framework at our fingertips, we can develop new ways to protect the sensitive information and corporate resources of enterprises – ways that we cannot use to protect physical systems today,” said Heron.

Check Point’s Lowe is also enthusiastic about the opportunities that VMsafe will provide for companies like his to launch a new counter-offensive against cybercrime: “What they [VMware] are doing is offering an alternative architecture at just the right time. They are doing absolutely the right thing – allowing the industry to build tools for protecting virtual environments before [cybercrime] becomes a serious problem.”

Security purists and VMware’s competitors will undoubtedly argue that providing access to the hypervisor, albeit in a highly controlled manner, increases the risk of the hypervisor’s own integrity being compromised, and with it the security of every virtual machine that runs on top of it.

It is certainly a strategy that contrasts starkly with Microsoft’s decision last year to lock down access to the kernel of the 64-bit version of Windows Vista. In doing so, it is effectively locking out security vendors like Symantec and McAfee, which have relied on access to meet new threats to Windows by publishing security patches to the kernel.

The bitter consequences of that decision are still reverberating throughout the industry, and it has significantly diluted Microsoft’s friendships in the security business. Meanwhile, the companies that Microsoft has alienated are the same ones that are working with VMware to make the virtual world a safer zone.

Further reading

IBM sounds virtual warning Virtualisation technology is not nearly as secure as its advocates have claimed

The virtual licensing hurdle Licensing software on virtual machines brings fresh challenges, says Gartner’s Frank DeSalvo

The rise of virtual sprawl The challenges of systems management are about to grow with the proliferation of virtual machines

Find more stories in the Systems Management and Security section

Related Topics