The Risk of Virtualization
As virtualization becomes the norm, the risk of virtualization should be in the forefront of any business continuity manager’s mind. We’ve compiled a list of areas of concerns and controls to reference throughout your virtualization transitions.
As organizations adopt and expand the use of cloud computing (e.g., software as a service – SaaS, infrastructure as a service – IaaS), most do not consider the acceptance of virtual infrastructure to be a major risk. Virtualization is the norm, and physical-based servers and storage are the exceptions. Nevertheless, you must consider the risks associated with your virtual environment as part of your overall risk assessment.
Virtualization defined
For this blog, virtualization means utilizing your physical hardware to run multiple virtual standalone devices such as servers, storage, network, and appliances. This allows for more efficient use of physical hardware.
Security remains a risk
Many believe virtual environments are more secure, but this is not the case. The utilization of traditional security methods and strategies may not be sufficient. With the expansion of virtualization, you should consider an adjusted approach to security. Cloud Security Alliance, a not-for-profit organization that promotes cloud computing best practices, recently released its top cloud computing concerns. They are:
- Data Breaches
- Weak Identity, Credential, and Access Management
- Insecure APIs
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Issues
Virtualization Risks and Controls
According to the Cloud Security Alliance, you should consider the following risks and controls to better secure your environment. We agree with these recommendations and encourage all organizations with any virtual presence to include them in their regular technology audit.
- Virtual Machines (VM) sprawl
- Given the ease of creating VMs, obsolete and unpatched servers can proliferate in an environment.
- Sensitive data within a VM
- Given the ease of moving VMs, sensitive data could be compromised.
- Security of offline & dormant VMs
- The longer a VM is offline, the further it will deviate from the secure baseline. If it is started, it may represent a significant risk for a breech entry point.
- Security of pre-configured (golden image) VM/active VMs
- Because VMs are just files on the platform, unauthorized access is possible unless appropriate security is in place.
- Lack of visibility and control over virtual networks
- Traffic moving on virtual networks may not be visible to traditional security protection devices.
- Resource exhaustion
- Many virtual environments are over-allocated, particularly if the devices running all utilize their max configured compute or memory configurations. These configurations can lead to significant performance degradation. This often happens when the hypervisor is compromised and the server configuration is changed.
- Hypervisor security
- The hypervisor is the software that manages the virtual devices in the environment. Even a device or server that is hardened can be changed at the hypervisor level. The hypervisor can be considered a single point of failure.
- Unauthorized access to the hypervisor can occur due to changes in operational procedure or access versus physical machines or even virtual servers. Functionality used by the administration team may introduce potential security holes.
- Account or service hijacking through the self-service portal
- You often access to the virtual environment and/or hypervisor through a portal, which is another layer which could be compromised.
- Workloads of different trust levels located on the same server
- Different workloads should run on different virtual environments (think about the physical hardware running the virtual devices). For example, you may want to segregate dev/test from production VMs or applications with sensitive data from those without.
- Risk due to cloud service provider APIs
- Many organizations use a cloud provider for both SaaS and IaaS, along with their own managed virtual environment. APIs used to communicate between the environments can be a significant risk.
Virtualization is often the best solution for a computing environment. SaaS tools can be effective from both a procedural and cost perspective. These solutions are more complex, given the layers of technology that provide the value and automation. Our final piece of advice is to remember that the risks associated with virtualization are not necessarily the same as physical or traditional architectures.
Richard Long
Richard Long is one of MHA’s practice team leaders for Technology and Disaster Recovery related engagements. He has been responsible for the successful execution of MHA business continuity and disaster recovery engagements in industries such as Energy & Utilities, Government Services, Healthcare, Insurance, Risk Management, Travel & Entertainment, Consumer Products, and Education. Prior to joining MHA, Richard held Senior IT Director positions at PetSmart (NASDAQ: PETM) and Avnet, Inc. (NYSE: AVT) and has been a senior leader across all disciplines of IT. He has successfully led international and domestic disaster recovery, technology assessment, crisis management and risk mitigation engagements.
