Because of the enormous cost saving and rapid deployment possibilities, server virtualization continues to be a top priority for federal, state and local government agencies faced with tighter budgets. For the third consecutive year, virtualization is the top technology priority of state CIOs, according to NASCIO.
Although virtualization technology is rapidly being adopted, the security aspects of the virtual server environment often are overlooked. Sixty percent of virtual servers will be less secure than the physical servers they replace, according to Gartner’s January 2010 publication, Addressing the Most Common Security Risks in Data Center Virtualization Projects. As organizations implement virtualization strategies, one of the most critical success factors is establishing an appropriate security posture. Thoughtful planning, leadership support and collaboration across IT and security teams are some keys to this endeavor.
Benefits and Challenges
Server virtualization is a form of resource sharing whereby one physical server hosts many virtual servers, called guests. A main component of server virtualization is the hypervisor, which allows multiple guest operating systems, a.k.a. virtual machines (VM), to run concurrently on a host computer.
This approach helps minimize the data center’s footprint; achieve green IT through energy, carbon and cost reduction; improve physical resource utilization; reduce capital committed to long-term leasing of equipment; and increase flexibility. But unique security challenges associated with server virtualization — such as virtual firewalls and segmentation of virtual networks — require attention during project inception or implementation.
Once server virtualization is implemented, costs decrease and virtual server provisioning time is drastically reduced. However, due to the ease of provisioning and replication of VMs, the environment can change rapidly.
Mitigating Security Risks
Two technical components of the virtual environment that are important to manage are the hypervisor and virtual network. The hypervisor is the specialized operating system that manages the interaction between the VMs and physical hardware. A virtual switch connects the VMs and physical network interfaces to let the VMs communicate with the network. These two additional technical layers increase the “attack surface,” which can elevate the risk for virtual environments; failing to understand the security implication of these layers may leave virtual environments exposed to cyber-attacks. Security policies, standards, guidelines and procedures must be revised to address these risks.
Common security practices, like patch and configuration management, are important to any implementation, and virtualization is no exception. As part of risk management in a virtual server environment, it’s important that updates, upgrades and patches are integrated into the security patch process. For example, with this new environment there are two systems to patch: the physical host system and VMs. Failure to patch one increases the odds that the other will be compromised. Because the hypervisor is also an operating system, it must be included in patch and configuration management.
One significant feature of virtualization is the hypervisor’s capability to turn off VMs at any time based on system capacity or power consumption, often considered a green IT benefit. Consequently some systems will be offline when IT discovers new vulnerabilities, makes configuration changes or pushes out new patches. Comprehensive patch coverage already is a problem with the desktops and laptops of mobile workers and telecommuters, and virtual servers pose an added challenge. How often did data center managers consider the need to patch offline servers prior to virtualization? With a virtual environment, they must.
Another aspect is to review the baseline virtual images or templates used to deploy new VMs. These templates need to be patched prior to implementation and maintained at an equivalent patch level of current production systems.
The overall configuration management of systems, networks and storage also becomes more complex in the virtual environment. Security vendors are quickly entering the server virtualization market space by expanding or customizing their product lines and service offerings with security appliances such as intrusion detection system sensors and firewalls designed for deployment in virtualized environments. Additional security controls associated with the configuration of virtual server systems include restricting both the ability to take snapshots and roll back a VM. Either of these actions can easily revert a VM to an unpatched, noncompliant state. System administrators should be cautious in resorting to rollback for troubleshooting or performing recovery, as they could easily overlook related security implications.
Roles and Responsibilities
Moving from a physical to a virtual server environment should be done as part of a comprehensive review of the existing environment and governance structure. Much of the existing governance structure will apply in both the physical and virtual server environment. But the virtual server environment has some unique governance considerations, including roles and responsibilities, segregation of duties, and alignment to security policies. The revision of policies, standards, procedures, guidelines and metrics to account for differences in the virtual environment are a key initial activity. This revision must consider additional security risks and identify appropriate mitigating controls based on the organization’s risks and threat profiles. This activity also should involve the business, IT, internal audit and security teams.
Building upon existing change management processes, configuration controls, operational metrics, reporting and other administrative controls, agencies can better manage and track risks and considerations unique to virtual environments.
Changes to legal and regulatory requirements also should be considered as part of the governance revisions. A National Institute of Standards and Technology (NIST) draft document, Guide to Security for Full Virtualization Technologies, addresses security considerations for virtual environments. NIST also is updating the Federal Information Security Management Act to cover cloud and virtual environments. Most states already use NIST standards, according to the 2010 Deloitte-NASCIO Cybersecurity Study, so these new guidelines may serve well for federal and state agencies.
Governance in a Virtual Environment
In 2009, 40 percent of virtualization projects did not involve the information security team during the initial architecture and planning stages, according to Gartner research. Virtualization efforts have raised pertinent questions about roles, responsibilities and segregation of duties in many implementations. For instance:
- Is the server or the network team responsible for the virtual server network?
- Should separate virtualization teams handle the network and infrastructure components?
- Who’s responsible for VM and hypervisor maintenance?
- What changes are required in the development process?
- How will compliance be measured?
These are just some of the questions that need to be addressed and appropriate roles and responsibilities defined for achieving a successful implementation.
Forrester Research introduced the concept of a virtual infrastructure administrator in its April 2009 report, Best Practices: Aligning Your Infrastructure and Operations Department Around Virtualization, stating that administrators must know the health of all VMs and any potential issues with the physical or virtual infrastructure. Agencies should review policies around roles and responsibilities and expand them to account for additional capabilities in the virtual environment. In addition, processes and controls need to address who can add and remove VMs, configuration management of the hypervisor, virtual networks and VMs, and movement of virtual machines from one physical host to another. These new controls also require the development of reporting metrics to measure the configuration’s effectiveness.
Additionally agencies should take the opportunity to engage and educate internal auditors by having them serve as a check and balance for the virtualization life cycle. Auditors also might support the development of risk assessment metrics and evaluate security risks.
Security Policy and Monitoring
Once agencies grasp virtualization’s security implications and governance aspects, they can focus on comprehensive security policies and monitoring procedures. As with any implementation, agencies must understand the current state of their computing environment and how the changes are executed, tracked and monitored. Security metrics relevant to virtual environments are an enabler to this data. Agency security officers should define the model, policies and procedures used for server virtualization while applying metrics to track compliance. The selection and monitoring of the appropriate metrics is important to achieve success in the virtualized environment.
Agency security policies and procedures should be implementable, measurable, enforced and specific to the virtual environment. For instance, each VM is stored as a single file (e.g., VMware stores VMs as vmdk files). Controls around how, when and by whom these easily duplicated files can be copied or moved to another location should be a major consideration when developing governance controls. These files should be treated with the same sensitivity and security as a tape backup or application data.
Top Security Actions
There are many controls to consider when planning a virtual server environment, but a few must be considered as part of a virtualization strategy.
Virtualization planning should include representatives from all impacted organizations, such as networking, operations, development teams, business units, security, internal audit or inspector general, and if required, legal. The federal government, industry groups and commercial firms offer security guidelines for virtual environments that may be useful. The U.S. Department of Homeland Security and NIST released documents to help public-sector and industry organizations implement secure virtual environments. The U.S. Department of Defense and virtualization vendors released technical guides for secure configuration and deployment of VMs. The Center for Internet Security and the Cloud Security Alliance also published information on implementing secure virtual environments. Agencies can also benefit from lessons learned and virtualization case studies from other public agencies and private companies.
While the overwhelming benefits of server virtualization continue to drive its rapid adoption, the success of virtualization initiatives is directly linked to their security posture. Virtualization introduces risks and increases the attack surface; stakeholders should consider additional protections appropriate to the risk level. Most virtualization security risks and issues don’t result from the technology, but rather an organization’s operational framework.
Seize the opportunity to align agency risk and governance strategies to aid in addressing these hurdles. Without guarding against information breach or compromise, the desired cost savings may be lost. Before implementing server virtualization, communicate with the security, IT and audit teams to commit to a risk-based approach in securing the virtual environment. Determine risk-tolerance levels and metrics for measuring risk, then plan and implement server virtualization. If a virtualization effort is already under way, discuss the maturity level of security efforts and the status of implementing risk mitigation measures with your chief information security officer. Take action before disaster strikes, impacting the confidentiality or integrity of data, or affecting the availability of your environment.
Srini Subramanian is a director in Deloitte & Touche’s Security and Privacy Services practice and he leads Deloitte’s state sector Security and Privacy Services market offering. He has more than 23 years of IT experience and more than 13 years of security and privacy experience.
Paul Meynen is a senior consultant for Deloitte & Touche in its Security and Privacy Services practice. His five years of experience includes service to clients in the government, retail and insurance industries. Contact him at firstname.lastname@example.org.