Securing virtualization in real world environmentsDocument Transcript
IBM Software January 2011Thought Leadership White PaperSecuring virtualization inreal-world environments
2 Securing virtualization in real-world environmentsContents However, the key to successful virtualization is providing bene- ﬁts like energy efficiency and performance without compromis- 2 Introduction ing security. Organizations typically struggle to stay ahead of 3 Virtualization: Enjoy the ride, but don’t forget to buckle up today’s threats while also addressing various regulatory-based compliance standards. Adding new technologies such as 5 Security implications of virtualization virtualization exacerbates this problem, making it essential for organizations to identify and address the new security gaps 7 Securing virtualization that are introduced by virtualized environments. 8 Virtualization security solutions from IBM For example, in a physical server environment, if someone com-11 Summary promises the security of one server, most organizations have the security tools in place to address and contain that breach. But12 For more information in a virtual server environment, where a single physical server can be running multiple applications from different resources, aIntroduction breach of one virtual server can potentially be a breach acrossIT organizations are under increasing pressure to deliver more a multitude of virtualized servers. And traditional security toolsfunctionality faster and with smaller budgets. Increasing costs can’t help, because they weren’t designed to address virtualiza-attributed to power and cooling of servers, coupled with the tion. It’s only a matter of time before a tremendous securityheadache of managing an expanding number of servers, makes breach associated with server virtualization makes headlines.this a serious challenge requiring new advancements within thedata center. Given the potential for catastrophe, organizations must act now. The ﬁrst step is to take the time to understand how to properlyAt the heart of many data center transformations is virtualiza- integrate, deploy and manage security in virtualized environ-tion. Through its ability to consolidate workloads and reduce the ments. Without a baseline plan or a real understanding of virtu-amount of time and energy IT spends purchasing, installing and alization and security, IT groups may decide to disable manymaintaining racks of servers, virtualization allows the organiza- of the advanced features of virtualization for fear of unintendedtion to satisfy its goals with fewer physical resources and reduced consequences, or even worse, they might introduce more riskoperational costs. Early adopters of virtualization are also into the process.attaining additional returns on their investment throughsimpliﬁed systems management, automation and optimizedserver utilization. In short, both the expectations and beneﬁtsare very real.
IBM Software 3This white paper examines many of the security concerns associ- However, in addition to providing these beneﬁts, virtualizationated with virtualization and helps you understand and prioritize signiﬁcantly impacts security. As data centers evolve into sharedthese risks, as well as describing the IBM security solutions and dynamic infrastructures, security concerns increase. Thethat can help you secure virtual environments and position your industry has already expressed anxiety over physical-to-virtualorganization to reap the full rewards of this exciting technology. migrations, security of the virtualization management stack, and visibility into the virtual network. As virtual data centers becomeVirtualization: Enjoy the ride, but don’t more complex, additional concerns around workload isolation,forget to buckle up multi-tenancy, mobility, virtual machine sprawl and trust rela-Virtualization has tremendous appeal for a variety of reasons. tionships are gaining visibility. Negatively impacting the overallMost notably, organizations are successfully reducing capital and security posture and increasing risk are never the intentions ofoperating expenses through server consolidation. By breaking IT groups deploying virtualization, but that potential readilydown silos of physical resources, organizations can simplify exists.data center management and reduce server sprawl. Concerns over risk have the potential to limit the beneﬁts anWhile reducing data center costs has become the primary suc- organization will realize from virtualization. For example, manycess metric for organizations, investments in server virtualization companies have seen no change in the number of resourcesalso come with greater expectations. Organizations have addi- needed to manage virtual environments (see Figure 1). This istional goals of increased availability, automation and ﬂexibility likely the result of organizations not enabling automationthat are possible only with virtualization. Realizing these goals capabilities such as dynamic resource allocation and mobility.is a critical step towards greater levels of service management Additionally, adopters of virtualization may not be changing—through virtualization, including advanced IT service delivery and ultimately improving—the efficiency of server provisioningand strong business alignment. It also helps break the lock processes for fear of introducing risk or of moving out of com-between IT resources and business services—freeing you to pliance with security policies. Until these organizations enableexploit highly optimized systems and networks to further more advanced virtualization features, they will not realizeimprove efficiency. the enhanced manageability and availability beneﬁts that virtualization brings.
4 Securing virtualization in real-world environments The security challenges of virtualization Traditional threats Traditional threats can attack New threats to VM VMs just like real systems environments Virtual server sprawl APPLICATIONS Dynamic state VIRTUAL Dynamic relocation Management vulnerabilities MACHINE OPERATING Secure storage of VMs SYSTEM and the management data MANAGEMENT Resource sharing Requires new Single point of failure skill sets VMM OR HYPERVISOR Loss of visibility Insider threat HARDWARE Stealth rootkits MORE COMPONENTS = MORE EXPOSUREFigure 1: The unique security challenges of virtualized infrastructures generate new risks for IT organizations, and the risk increases with the number ofcomponents involved.
IBM Software 5On the other hand, many early adopters have rushed to take controls, strengthen the platform and increase awareness ofadvantage of these technologies, often without fully understand- potential security implications, organizations will be able to real-ing the security concerns. For example, server consolidation ize more beneﬁts without adding new risk.increases overall efficiency, but also complicates matters byintroducing a new architecture with various technical and Before we examine the solutions offered for virtualizationorganizational complexities. Both IT and security professionals security, let’s take an in-depth look at the major concerns.must adapt as consolidation forces change. Security implications of virtualizationAs network and server administration begin to converge, physi- Some characteristics and attributes of virtualization have inad-cal security devices and other security tools become less effective. vertent yet inﬂuential consequences on information security.Even the most basic features of virtualization greatly impact the Physical servers and other computer resources are heavilyday-to-day security responsibilities and processes used to achieve shared, barriers between virtual machines are logical, andand maintain compliance. workloads can move around the data center—en route to new servers or geographic locations in real time.Perhaps a lesson can be learned from the automobile industry inthat safety and security increase with maturity. The ﬁrst modern Understandably, people, processes and technology must adapt.automobiles were available in the late 19th century, but seat belts To do so, we must fully understand the new risks and securitywere not offered as standard equipment until 1958. Clearly, challenges unique to this technology. The following sectionstechnological advances allowing cars to travel much farther and describe several major security concerns of virtualizedfaster outpaced advances in safety. Likewise, new virtualization environments.capabilities are currently being introduced at a pace that chal-lenges risk mitigation solutions. While mature virtualization Isolationplatforms have strengthened their inherent security capabilities In order to safely consolidate servers and allow a single physicalover time, new virtualization products with widespread appeal server to host multiple virtual machines, virtualization uses logi-and poorly understood security capabilities are now on the cal isolation to provide the illusion of physical independence.highway. No longer able to verify that machines are separated by network cables and other physical objects, we rely on the hypervisor andIn response, organizations must buckle up. They should under- other software-based components to provide these assurances.stand the new security risks that are introduced in virtualized This becomes increasingly important when workloads fromenvironments, and then evaluate new security solutions speciﬁ- users of different trust levels share the same hardware. Incally designed to address these new virtualization security order to properly contain information, administrators must paychallenges. Yes, virtualization introduces new concerns, but it special attention to conﬁguration settings that affect virtualalso provides an opportunity to extend defense-in-depth to machines and network isolation, as well as continuously monitornew and unique areas of integration. As we optimize security the entire infrastructure for changes that could result in leakage of sensitive data.
6 Securing virtualization in real-world environmentsServer lifecycle and change control conﬁguration protocol (DHCP) environments. Static policiesPatch management and change control windows are vital to and other security mechanisms designed for traditional serverskeeping operations running smoothly and safely. This is done by and networks may become easily confused. The ability of secu-applying important security ﬁxes in a timely manner. In fact, this rity products to operate intelligently across multiple physical andis so important that many IT organizations have built an exact virtual environments, as well as to be more infrastructure-awarescience around server maintenance. Without question, a great through integration of platform and management APIs, willamount of time and money are invested annually to maintain allow administrators to enforce control over the mobility ofservers in the data center. Virtualization adds to this complexity virtual machines within various security zones.by changing the rules of the game. Servers are no longer con-stantly running; virtual machines can be stopped, started, paused Virtual network securityand even rolled back to a previous state. The speed at which Networks and servers are no longer two separate, distinct layersmachines are conﬁgured and deployed also dramatically of the data center. Virtualization allows for the creation ofincreases. What used to take hours now takes seconds or sophisticated network environments, completely virtualizedminutes. The result is a highly dynamic environment where within the conﬁnes of the server itself. These virtual networksmachines can be quickly introduced into the data center with facilitate communications for virtual machines within the serverlittle oversight, and security ﬂaws can be absent or reintroduced and share many of the same features used by physical switchesbased on virtual machine state. Security professionals must and other traditional networking gear. A physical port in the datafully understand what virtual machines are being deployed, center that used to represent a single server now represents tenswhich are currently running, when they were last patched and or hundreds of virtual servers and drastically affects how wewho owns them. secure data center networks. Network traffic between virtual machines within the same physical server does not exit theVirtual machine mobility machine and is not inspected by traditional network securityMobility, in the language of virtualization, refers to the ability of appliances located on the physical network. These blind spots,a virtual machine to automatically relocate itself and its resources especially between virtual machines of varying trust levels, mustto an alternate location. This capability, while highly desirable, be properly protected with additional layers of defense runningcan also create problems. In a traditional data center, physical within the virtual infrastructure.server ‘A’ might be located on Row 5, Rack 8, Slot 3. In thehybrid data center, virtual machine ‘B’ is not as easily locatable. Separation of operational dutiesAs part of a resource pool, server ‘B’ could be spread across Separation of duties and the policy of least privilege aremultiple physical resources. If conﬁgured for mobility, the virtual important security principles used to limit the capabilities of ITmachine could relocate to another physical server, either auto- administrators as they manage resources and perform routinematically as part of a disaster preparedness plan or in response tasks. Server management is usually handled by the serverto a performance threshold. administrator, and network management by the network administrator—while security professionals work with bothThe mobile aspect of virtual machines means ﬂexibility, time teams and handle their own speciﬁc tasks. Virtualization hasand cost savings for the data center, but it also introduces secu-rity concerns similar to laptop and large-scale dynamic host
IBM Software 7changed the natural boundaries and lines of demarcation that the same security technology. The reason we cannot is due to abuilt these divisions. Both server and network tasks can be fundamental shift in the way organizations plan, deploy andmanaged from a single virtualization management console, manage virtualization platforms. This shift requires, in somewhich introduces new operational challenges that must be instances, a simple adaptation, and in others, a completely newovercome. Organizations must clearly deﬁne proper identity and way of operating.access management policies, allowing administrations and secu-rity professionals to properly maintain and secure the virtual For example, it is true that some of the threats exposed byenvironment without granting excessive authority to those who virtualization can be mitigated or reduced by using existingdo not require it. people, processes and technology. Traditional network and host security products for example, can be used to protect the net-Additional layers of software work, desktops and servers. Given a small adaptation, host intru-As virtualization is introduced into the data center, so are addi- sion prevention systems (HIPS) can also be installed on eachtional lines of code that make up the software needed to virtual machine. However, what cannot be effectively protectedimplement it—from the management consoles that control by traditional processes and technologies is the virtual fabricvirtual machines to the hypervisors that provide the foundation composed of the hypervisor, management stack, inter-VM trafficfor the technology itself. As such, new vulnerabilities related to and virtual switch. While people, processes and technology arevirtualization software can be introduced, with some attributed recyclable, they also need to evolve to the new architecture andto the popularity, accessibility and relative immaturity of x86 concepts exposed by virtualization.virtualization. In addition, there is a heightened sensitivity fromvendors to analyze and disclose vulnerabilities. Many disclosures Change control and patching procedures are good examples.can be attributed to third-party code that is packaged with the The patching procedures for virtual machines certainly need tovirtualization software stack, and vendors are taking measures to adapt to ﬂuctuating running states and dormancy. Furthermore,reduce the footprint of their software and dependency on uncon- how do organizations use virtualization management suites totrolled code. However, it goes without saying that fault-free code reclaim the separation of duties lost when network and hostis largely unattainable, especially as vendors integrate complex administration merge onto the virtualization platform?features into their platforms. Organizations should treat virtual-ization as they would any critical application and apply proper Deploying access control and applying the policy of least privi-defenses to stay ahead of these threats. lege to the management console, administrative roles and virtual images are certainly not unique concepts; however, slowing theSecuring virtualization growth of virtual networks and preventing virtual server sprawlIBM believes that a foundation in security is the basis from is. Administrators must also adapt to the concept of sharedwhich organizations can reap the most beneﬁt from virtualiza- resources and ensuring a fair distribution of RAM, CPU,tion. If many of today’s virtualization security challenges simply storage and bandwidth.mirror yesterday’s challenges, logically, we should be able to use
8 Securing virtualization in real-world environmentsAll of these practices are used in today’s networks—in some Virtualization security productsform—to mitigate risk. Since even virtual networks are really IBM’s virtualization security product offerings fall into threehybrid networks, these traditional solutions are still absolute areas within the virtualization spectrum: Virtual environmentnecessities in the ﬁght for security. However, organizations ready, virtual appliances and virtual infrastructure protection.should keep in mind that organizational security is only as goodas the sum of its parts. Defense-in-depth must be extended from Virtual environment ready solutions utilize IBM securityphysical to virtual environments. In today’s era of reduced cost offerings to protect virtual environments. With these solutions,and complexity, the value of a single suite of centrally managed IBM can protect virtual environments with proven technologiessecurity products that protects both physical and virtual net- that incorporate recommended policies from the IBM X-Force™works and hosts is critical to achieving organizational security team, which is one of the oldest and best-known commercialand maximum return on investment. security research groups in the world. Certiﬁed by the International Computer Security Association (ICSA), andVirtualization security solutions from IBM developed according to National Security Services (NSS)Most organizations are running hybrid infrastructures with libraries for cross-platform security development, thesevarying percentages of physical and virtual hosts, applications solutions have the ability to block threats and provide seamlessand devices. While many are rushing headlong into virtualiza- integration with no interruption of your workﬂows.tion, others are testing in laboratories or waiting until the valueof their servers and appliances have amortized. Regardless, the Virtual appliances such as IBM Security Network Intrusionstark reality of virtualization is that there is an adoption period. Prevention System help reduce operational expenses whileCurrent investments in security will not be thrown away but will increasing ﬂexibility for your security infrastructure by allowingbe recycled and reused. Without question, organizations will the reuse of assets you already own. These solutions can easilylook to cannibalize their existing investment in security in order migrate from older technologies without changing hardware,to effectively extend their investment. and they provide a foundation for future expansion. The same policies of the physical appliance can be reused, and there canIt is critical to understand that the true value of security is not in be numerous virtual appliances running on every virtualizationpoint products that address virtualization only, but in solutions server.that extend security to the new risks exposed by virtualizingproduction servers. Organizations interested in reducing cost Virtual infrastructure protection solutions include IBM Securityand complexity while achieving enterprise-grade security must Virtual Server Protection for VMware, an integrated threat miti-pay close attention to how solutions will ﬁll the coverage gaps gation solution designed to allow organizations to fully exploitintroduced by virtualization. the beneﬁts of server virtualization while protecting critical virtualized assets (see Figure 2). It provides the same intrusionIBM is focused on providing best-of-breed, end-to-end security prevention capabilities of other network IPS solutions, but withsolutions for key control points—network, endpoint and server. the advantage of being integrated into the hypervisor throughIBM provides a range of virtualization security products, serv- the VMsafe interface made available by VMware—which meansices, and leading-edge expertise to help organizations maintain you need to install only one instance for each virtualization serversecurity while realizing the promise of virtualization. in order to protect the entire virtualized infrastructure.
IBM Software 9 IBM Security Virtual Server Protection for VMware IBM Security VM VM VM Virtual Server Web Server Host Desktop Web Application Protection for VMware Policy Response Applications Applications Applications Engines Hardened OS OS OS OS Rootkit Firewall VMsafe Intrusion Virtual Detection Prevention NAC Hypervisor HardwareFigure 2: IBM Security Virtual Server Protection for VMware helps organizations operate more securely and cost-effectively by delivering integrated andoptimized security capabilities for virtual data centers.
10 Securing virtualization in real-world environmentsIBM Security Virtual Server Protection for VMware automati- ● IBM Security SiteProtector System offers the industry’s largestcally protects virtual machines as they come online or move portfolio of centrally managed security products and is sup-across the data center, and it monitors traffic between virtualized ported on VMware ESX. Designed for simplicity and ﬂexibil-servers with a holistic view of the virtual network. In addition to ity, Security SiteProtector System can provide centralizeddelivering IPS capabilities, the solution enables the security team conﬁguration, management, analysis and reporting for selectto search for malware by looking for rootkit activity in virtual- IBM security products.ized systems and to conﬁgure ﬁrewall rules and network access ● IBM virtualized infrastructure security provides virtual envi-control (NAC) rules. ronment awareness and forms a transparent plug-and-play threat protection solution to address security concerns associ-IBM Security SiteProtector™ System is integrated into Virtual ated with virtual machine sprawl, lack of virtual networkServer Protection for VMware, providing a simple, cost-effective visibility, and mobility. Through integration with virtualizationway to manage security solutions for physical and virtualized platforms, IBM provides consolidated network-level intrusionsystems across the entire IT environment. Security SiteProtector prevention and auditing of the virtual environment, reducingSystem provides a central management point to control security the need for network traffic analysis in the guest operatingpolicy, analysis, alerting and reporting. system. Through this approach, organizations can limit the security footprint per guest OS, thereby eliminating redundantSecurity management solutions resource consumption and reducing security managementIBM provides a wide range of security management offerings, complexity.from managed services to plug-and-play solutions: Solutions backed by IBM X-Force● IBM Managed Security Services offers the option to outsource IBM security excellence is driven by the world-renowned the deployment and management of your security products, X-Force team, which provides the foundation for IBM’s preemp- thus reducing the cost and complexity of training and main- tive approach to Internet security. This leading group of security taining in-house staff. IBM Managed Security Services also experts researches and evaluates vulnerabilities and security offers an innovative and simple way to secure the virtual issues, develops assessment and countermeasure technology for infrastructure by choosing to have IBM manage your security IBM security products, and educates the public about emerging operations from one of eight IBM operation centers around Internet threats. the world. Called the IBM Virtual-Security Operations Center (Virtual-SOC), this service is designed to ensure that all physical and virtual security solutions are active and updated with the latest patches and software updates, including security intelligence provided by the IBM X-Force research and development team.
IBM Software 11The X-Force team delivers security intelligence that customers Summarycan use to improve the security of their networks and data. Without a doubt, virtualization has changed—and is changing—Regardless of whether the product is a physical 1U appliance or how organizations run, manage and store applications and data.a piece of software installed on a virtual machine, the same secu- New, complex technologies are rapidly increasing the potentialrity intelligence and threat content developed by the X-Force for more gaps in protection.team is installed on that IBM security device and helps managethe threat mitigation process. Virtualization security need not mean scrapping current security investments in IPS technology, ﬁrewalls or multifunctionIn addition to providing security content updates to IBM secu- devices. Networks will always have some amount of physicalrity products, the X-Force team also provides the IBM X-Force hardware, and virtual security will always be limited by a ﬁniteThreat Analysis Service (XFTAS). The XFTAS delivers cus- amount of resources. But you do need to plan now and considertomized information about a wide array of threats that could how to best protect your physical and virtual resources.affect your network through detailed analysis of global threatconditions. IBM continues to develop solutions that not only help protect capital investments and conﬁdential data, but also make it easy to track, monitor, automate and manage your critical infrastructure resources, including those in the virtualization stack.