Companies are rushing to embrace systems virtualisation, without any regard for the risks or for securing the environment, says Samresh Ramjith, Dimension Data GM, security solutions.
Ramjith says that, as a result, research firm Gartner has commented that the short-term gain from virtualisation might be outstripped by the long-term risk being introduced into the environment.
Speaking at ITWeb Security Summit 2008, in Midrand, this morning, Ramjith said Tavis Ormandy, a senior research fellow at Google, had warned in a paper that willy-nilly implementation, without planning, would result in "dramatic" exposure to threats.
While there was a huge uptake of virtualisation technology taking place, Ramjith said he was led to ask: "Is there anybody in our market who is thinking about this? And a little bit of research said no." On the contrary, many people were doing exactly what Ormandy had warned against, he noted.
He said risks included total compromise, "where an attacker takes over the entire VM (virtual machine) environment, the entire server. The whole point of virtualisation is to put the optimum instances onto a single piece of hardware. So basically, you're creating a mini data centre on a single server. And if anybody owns that, you've got a good chance of actually exposing a lot more than you intended."
Another risk was that of partial compromise, where an attacker was able to get information about the rest of the environment, using the virtual machine as the entry point into the rest of the environment.
No silver bullet
Ramjith said, while there was no easy way or single product to secure the VM environment, there were common-sense steps that could be followed to help secure the environment when adopting virtualisation.
These included developing a strategy, which would include assessing the business benefits, readiness and impact assessments, considering the VM business continuity planning requirement, and considering often overlooked issues such as support skills, licensing and patch management.
He urged delegates to implement administrative access control and also implement systems controls and best practices for successful deployment. Among other things, vendor evaluation should include "baked in" security criteria.
Also among the steps Ramjith listed was ensuring profiles were portable. "Failure to implement this can lead to massive vulnerability."
There were VM security technologies emerging, which included VM-aware network IPS appliances, tailored anti-malware packages, and plug-and-play VM security appliances.
Most of these technologies were destined to become feature-sets once larger vendors took note of the risks and saw the opportunities, Ramjith said.
Citing VMWare CTO Stephen Herrod, he said there was no replacement for people, processes, and policy.
Share