Virtualisation technology, which allows multiple operating systems to run different applications on a single computer, has caught the attention of IT managers for its promise to let them better manage and utilise corporate IT resources.
However, some IT managers and security researchers warn that the emerging technology also makes corporate systems far more vulnerable to hackers.
Chad Lorenc, information security officer at a financial services company that he asked not be named, says that IT security and compliance projects are far more complex undertakings on virtual machines than on servers that run a single operating system and application.
“It is a very complex issue. I’m not sure you are going to find a single solution” for addressing security concerns in a virtual environment, Lorenc says.
“There is no silver bullet,” he adds. “You have to tackle [security] from a people, process and technology standpoint.”
Virtualisation technologies allow companies to carve out multiple virtual machines within a single physical resource such as a computer server or storage array.
The technology allows companies to consolidate applications running on multiple systems into a single server, which promises to ease management requirements and allow IT hardware resources to be better utilised.
Analysts note that although the technology has been around for several years, IT organisations have become more interested in recent months as virtualisation products have emerged from the research labs of companies such as Intel, Advanced Micro Devices, VMware, Microsoft and IBM.
Same threats and more
But before IT managers turn to virtualisation tools, they must understand that collapsing multiple servers into a single box does not change their security requirements, says George Gerchow, technology strategist at security vendor Configuresoft’s Centre for Policy & Compliance in Colorado Springs.
In fact, he notes, each virtualised server separately faces the same threats as a traditional single server. “If a host is vulnerable, all associated guest virtual machines and the business applications on those virtual machines are also at risk,” Gerchow says.
Therefore, a server running virtual machines faces more danger from a single exploit than a stand-alone physical server, he says.
Gerchow notes that virtualisation software allows developers, quality assurance groups and other corporate users to set up virtual machines with relatively little effort — and without IT oversight. Such virtual machines can pop up, move across systems or disappear entirely on an almost constant basis if IT managers don’t take measures to maintain control of each of them.
“IT departments are often unprepared for the complexity associated with understanding what virtual machines exist [on servers] and which are active or inactive,” Gerchow says. Without the ability to keep track of virtual machines, companies are often unable to patch flaws or update systems when necessary, he adds.
“When you have a virtual environment, [users] tend to start piling on the virtual servers,” Lorenc says. The combined value of the assets can get “very high very quickly,” he notes.
Even if IT staffers do keep track of all the virtual machines running on a server, they can still face problems installing patches or taking systems offline to perform routine security upgrades, Gerchow says.
The risks associated with patching holes and upgrading applications increases each time a new virtual machine is added to a server, he adds.
Lorenc suggests that companies install tools that can quickly detect and discover virtual machines as they are installed on a corporate server. He also advises that companies create strong policies to control the spread of virtual machines.
And, he says, it’s important that IT managers have a good understanding of the business import of every application running within a company’s virtual environment and that they map out any interdependencies that may exist among them.
He adds that companies should set up separate patching processes for virtual machines and create strict change-management policies and controls to restrict access to the virtual environment.
“We are in the process of trying to mature some practices in this area ourselves through process, change controls and through technology,” Lorenc says.
Lloyd Hession, chief security officer at BT Radianz in New York, says that virtualisation also opens up a slew of potential network access control issues. He notes that the technology allows multiple application servers with different access requirements to run on a host with a single IP address.
Therefore, he says, IT managers should take proper access-control measures to ensure that a network admission control policy for one virtual server on a host doesn’t get applied to all the virtual servers on a corporate network.
Today, most networks “are not virtualisation-aware,” he says. “Many network admission control technologies that are making ‘go’ and ‘no go’ decisions don’t know if a [server] is a virtual machine or not.”
Security experts also note that expanded use of virtualisation tools from major vendors is giving hackers and “white hat” security researchers a stack of relatively unexplored code in which to look for security flaws and attack methods.
Just this month, Microsoft issued a patch to fix a vulnerability in its virtualisation software that it said could let users access operating systems and applications without authorisation. Microsoft rated the flaw “important” rather than “critical.”
Security experts say more such vulnerabilities are likely to appear in packaged software as the use of virtualisation technologies continues to spread.
Kris Lamb, director of the X-Force team in IBM’s internet security systems unit, cites virtual machine monitoring tools, which manage virtualisation functions in a system, as a strong potential platform for launching hacker attacks on virtual machines.
Virtual machine monitors use consoles to manage the resources of the hardware hosting the virtual machines and to act as an interface between the hardware and the various virtual machines hosted on it.
The monitoring software usually sits just one level above the hardware and can be used to launch virtually undetectable attacks against the operating system and application layers above it, according to security experts.
In fact, security researchers say they have already demonstrated proof-of-concept code that shows just how attacks on virtual machines can be carried out from the monitoring software.
For example, researchers at Microsoft and the University of Michigan earlier this year devised SubVirt, which uses a rootkit to install a virtual machine monitor under an operating system. The effort allowed the researchers to gain complete control of multiple virtual machines.
A similar attack method, called Blue Pill, was developed by Joanne Rutkowska, a malware researcher at Singapore-based IT security firm Coseinc, who demonstrated it at the Black Hat security conference in Las Vegas earlier this month.
Rutkowska’s rootkit is based on AMD’s secure virtual machine, code-named Pacifica. It allows a virtualised system to be hijacked much like with the SubVirt attack method, while remaining completely undetectable to IT personnel.
“You have this big command-and-control [monitoring] software that has become a central piece of the infrastructure. [It] holds the keys to the kingdom” at many companies, Lamb says.
For hackers, such software provides an increasingly high-impact target to go after, he says.