
No security attacks against VMs have so far been reported, but security experts believe it is only a matter of time before hackers start to look at ways to exploit vulnerabilities within virtual infrastructures.
David Lynch is vice president of marketing at virtual machine lifecycle management specialist, Embotics. He acknowledges that he has not seen any programs deliberately attacking hypervisors – the software that grants multiple VMs access to the hardware resources of a single physical system – yet, but says it is only a matter of time.
“There will probably be some form of attack on the hypervisor within the next 12 months – it is too rich an opportunity [for hackers] to pass up," he says. " If you go to events like the Black Hat technical security conference, virtualisation is the number one topic. Everyone is working on it, so watch this space."
Warwickshire County Council recently began a programme to extend its virtual environment to 175 primary and secondary schools throughout the count. It opted to use the HyperV features integrated in Microsoft's Windows Server 2008 operating system to support server, desktop PC and application virtualisation.
“We haven't noticed any security threat happening on the HyperV side, and I am not aware of any compromise of anything made on any virtual system to date, but it is a theoretical possibility,” says Chris Page, Warwickshire County Council's technical development manager.
Virtual servers are more usually credited with improving security in the IT infrastructure, because they isolate individual operating systems and applications into separate, virtualised containers that do not interact with each other and therefore minimise the opportunity for malware to spread.
"We virtualised a server recently where we had to balance the supportability of three very complex installs sitting on one server against separating them out. Virtualisation technology works by isolating things from one another, web hosting from database applications for example, and the VMs hosting them can either be firewalled or not firewalled depending on their mission criticality," says Page.
But Embotics' Lynch insists that this separation can pose a different type of problem, because management and security tools tend to identify servers according to their physicality, whereas virtual servers all look exactly the same.
"The fact that VMs are portable is another issue, because they can be easily taken out of the security zone, beyond the remit of intruder detection systems (IDS) or firewalls. VMs can be placed on USB sticks and literally walked into the data centre before being plugged in, for example".
And while virtualisation is complex, there is little automation. This means that a lot of manual management and control activity is required, and staff need to have a certain level of proficiency to make appropriate decisions.
“There is increased potential for human error combined with less potential for auditing and tracking individual systems,” warns Lynch.
Even where attacks do bring VMs crashing to a halt, Page believes it is very easy to both isolate those threats and get systems back up again to minimise system downtime.
“With a virtual machine it is possible to have a replica of any one system back at base and backed up systems on servers that can be brought back up very quickly in the event of problems,” he says.
The nature and size of any security threat to virtualised systems will vary according to the level of segmentation within any one environment. But Lynch says it is important for IT security staff to at least acknowledge that virtual systems need to be treated in a different way, and that security measures applied to physical systems will not necessarily suffice.
“They need to start thinking about what they have to do to control VMs, consider how isolation aspects break down, and what policies they need to put in place to protect against potential threats," he reports.
"The last thing anybody wants to do is re-architect their security profile to accommodate virtualisation, and the security guys are only just waking up to realise that there are substantial differences between physical and virtual servers".
Lynch admits that issue has not flashed up on most IT leaders' radar yet, but says government and financial companies – who tend to be more security conscious – are those listening hardest. Nevertheless, IT leaders should be preparing their defences today, he warns.