Wed, November 14, 2007 — CIO — "There hasn’t been a significant security breach in virtualization, not a public one," says IDC analyst Stephen Elliott. "At some point, you have to figure it's a matter of time."

IT leaders must deal with virtualization security the same way they've dealt with numerous other threats: budgeting, planning, tools, process and vigilance. But those IT leaders must also be able to separate the real threats from the theoretical ones, and that's not always easy right now.

What's on the virtualization threat horizon and is discussed in security labs but not appearing in real-life data centers yet?

For starters, there's been a lot of talk online and at some conferences regarding the possibility of hypervisor malware and hypervisor weaknesses. This past summer, a security consulting firm called Intelguardians Network Intelligence argued that it may be possible for a hacker to "break out" of a VM's guest operating system and into the host OS of a server. This invites the possibility of installing rootkits and other malware, Intelguardians argues.

Some security researchers discuss the possibility of a "Blue Pill" attack, using a virtual rootkit akin to the one created by security researcher Joanna Rutkowska. This kind of rootkit, the theory goes, can hide in the hypervisor and away from the vision of today's security tools.

Should you worry about these theoretical threats yet? Just how secure is a hypervisor?

"Blue Pill was really targeted as a Windows Vista exploit and never really materialized," says Burton Group's Wolf. "There's not been a significant threat yet." As for the hypervisor threats, he says, "I think the threats there are a bit exaggerated. The key is central monitoring and updating."

More troubling perhaps, says security researcher Chris Hoff: Given today's virtualization and security tools, IT has real trouble seeing into the traffic running between VMs. "Today we've deployed security sprinkled in boxes throughout the network," Hoff says. "But traffic patterns may be such now that trouble doesn’t even hit the network." IT very much needs tools to be able to peek into that inter-VM traffic, Hoff says. "The network and security guys have lost precious visibility," he says.

Another more practical and immediate problem: Separation of duties among IT personnel can radically change in a virtualized environment, Hoff says, as access to more VMs gets loaded into management consoles. That's the kind of security issue a CIO should worry about before worrying about Blue Pill, he says.