Exclusive Online Only Content
Information Security
Software as a Service as a Security Battleground | Perimeters Protected, Firms Look Inward | Server Virtualization: Powerful Tool, Extra Exposure |
Server Virtualization: Powerful Tool, Extra Exposure
Vendors working to reduce security vulnerabilities of the cost-efficient approach
March 24, 2008
Dividing a server into multiple virtual machines has brought down firms' purchasing costs and allowed for more efficient use of existing hardware. However, virtualization also poses security risks and challenges, including managing a more complex network, additional layers of technology, potential data leaks as multiple virtual machines share common communication lines, and the threat of rogue machines.
The most common form of virtualization entails creating a layer--a hypervisor--between the cold, hard metal of the server and the virtual machines that sit on top of it. Each virtual machine has its own operating system and runs its own applications.
But someone who gains access to the hypervisor level could damage all the virtual machines, potentially bringing down multiple applications. "Server virtualization technologies are prone to security issues if the requisite security architecture and best practices are not in place," says Eric Greenfeder, director of product management at San Francisco-based technology consultancy Primitive Logic.
Problems can also spread from one machine to another. "Security vulnerabilities in a single virtualized guest operating system can undermine the security of other virtual machines as well as the virtualization layer," notes Greenfeder.
One difficulty is that the hypervisor layer exists outside the operating system--something without which most security applications such as firewalls and antivirus software cannot run. Security software vendors, virtualization technology providers and even hardware shops have all stepped forward to offer solutions.
Vulnerable OSs
Parag Patel, VP of alliances at Palo Alto, Calif.-based VMware, says his company's new VMsafe allows security vendors to connect directly to the VMware infrastructure. "We're enabling security products to have a lot more power," he asserts.
A hypervisor layer, which is much thinner than the heavy operating systems on top of it, presents a tiny target, points out Patel. "The hypervisor has a much smaller footprint--so that gives you more protection, less holes, less vulnerability," he says. "In fact, virtualization provides a more isolated and protected environment. A lot of vulnerability comes from operating systems."
Intel Corp. is working on ways to build protection into the hardware of the server. "Intel developed Intel Virtualization Technology--hardware assists for virtualization--to increase the robustness and reliability in virtualization software," says Radhakrishna Hiremane, product marketing engineer at Santa Clara, Calif.-based Intel.
Network-based security tools such as firewalls, intrusion detection systems and monitoring applications can protect a server from the outside, says Greenfeder of Primitive Logic.
OnPath Technologies, for one, provides network virtualization services, essentially creating separate networks within a single connection to keep data and messages isolated. The Marlton, N.J.-based company also provides monitoring tools to keep an eye on the network--and to shut down pieces of it quickly when necessary.
"If you were to have an application server or a file server on that storage device that contains sensitive financial data--trading records, customer data--and you were accidentally to plug in a network connection on the public side of the firewall, that sensitive data could be exposed to hackers or anyone else" with access, says OnPath president and CEO Peter Dougherty. "It's very simple to expose corporate data in that manner, due to human error. Our products guard against that."
OnPath currently has over 300 installations, including more than two dozen of the world's largest securities firms, Dougherty says.
