The Risk of Virtualization

Richard Long

As virtualization becomes the norm, the risk of virtualization should be in the forefront of any business continuity manager’s mind.  We’ve compiled a list of areas of concerns and controls to reference throughout your virtualization transitions.

As organizations adopt and expand the use of cloud computing (e.g., software as a service – SaaS, infrastructure as a service – IaaS), most do not consider the acceptance of virtual infrastructure to be a major risk. Virtualization is the norm, and physical-based servers and storage are the exceptions. Nevertheless, you must consider the risks associated with your virtual environment as part of your overall risk assessment.

Virtualization defined

For this blog, virtualization means utilizing your physical hardware to run multiple virtual standalone devices such as servers, storage, network, and appliances. This allows for more efficient use of physical hardware.

Security remains a risk  

Many believe virtual environments are more secure, but this is not the case. The utilization of traditional security methods and strategies may not be sufficient. With the expansion of virtualization, you should consider an adjusted approach to security. Cloud Security Alliance, a not-for-profit organization that promotes cloud computing best practices, recently released its top cloud computing concerns. They are:

  1. Data Breaches
  2. Weak Identity, Credential, and Access Management
  3. Insecure APIs
  4. System and Application Vulnerabilities
  5. Account Hijacking
  6. Malicious Insiders
  7. Advanced Persistent Threats (APTs)
  8. Data Loss
  9. Insufficient Due Diligence
  10. Abuse and Nefarious Use of Cloud Services
  11. Denial of Service
  12. Shared Technology Issues

Virtualization Risks and Controls

According to the Cloud Security Alliance, you should consider the following risks and controls to better secure your environment. We agree with these recommendations and encourage all organizations with any virtual presence to include them in their regular technology audit.

  • Virtual Machines (VM) sprawl
    • Given the ease of creating VMs, obsolete and unpatched servers can proliferate in an environment.
  • Sensitive data within a VM
    • Given the ease of moving VMs, sensitive data could be compromised.
  • Security of offline & dormant VMs
    • The longer a VM is offline, the further it will deviate from the secure baseline. If it is started, it may represent a significant risk for a breech entry point.
  • Security of pre-configured (golden image) VM/active VMs
    • Because VMs are just files on the platform, unauthorized access is possible unless appropriate security is in place.
  • Lack of visibility and control over virtual networks
    • Traffic moving on virtual networks may not be visible to traditional security protection devices.
  • Resource exhaustion
    • Many virtual environments are over-allocated, particularly if the devices running all utilize their max configured compute or memory configurations. These configurations can lead to significant performance degradation. This often happens when the hypervisor is compromised and the server configuration is changed.
  • Hypervisor security
    • The hypervisor is the software that manages the virtual devices in the environment. Even a device or server that is hardened can be changed at the hypervisor level. The hypervisor can be considered a single point of failure.
    • Unauthorized access to the hypervisor can occur due to changes in operational procedure or access versus physical machines or even virtual servers. Functionality used by the administration team may introduce potential security holes.
  • Account or service hijacking through the self-service portal
    • You often access to the virtual environment and/or hypervisor through a portal, which is another layer which could be compromised.
  • Workloads of different trust levels located on the same server
    • Different workloads should run on different virtual environments (think about the physical hardware running the virtual devices). For example, you may want to segregate dev/test from production VMs or applications with sensitive data from those without.
  • Risk due to cloud service provider APIs
    • Many organizations use a cloud provider for both SaaS and IaaS, along with their own managed virtual environment. APIs used to communicate between the environments can be a significant risk.

Virtualization is often the best solution for a computing environment. SaaS tools can be effective from both a procedural and cost perspective. These solutions are more complex, given the layers of technology that provide the value and automation. Our final piece of advice is to remember that the risks associated with virtualization are not necessarily the same as physical or traditional architectures.

disaster situationsmitigating insider threats