Future Threats to Virtualization Security: Fact vs. Fiction

Who will be the TJX of virtualization security mistakes? No one knows yet, but one thing's certain: If you're a CIO, it better not be your company.

"There hasn’t been a significant security breach in virtualization, not a public one," says IDC analyst Stephen Elliott. "At some point, you have to figure it's a matter of time."

IT leaders must deal with virtualization security the same way they've dealt with numerous other threats: budgeting, planning, tools, process and vigilance. But those IT leaders must also be able to separate the real threats from the theoretical ones, and that's not always easy right now.

RELATED LINKS

10 Top Virtual Server Security Threats and How To Fix Them

Citrix Seals XenSource Deal, Pressures VMWare

Taking Virtual Servers Beyond Data Center Consolidation

How Server Virtualization Tools Can Balance Data Center Loads

How To Do Virtualization Right

Hypervisor for Laptops Could Rock Your Mobile World

What's on the virtualization threat horizon and is discussed in security labs but not appearing in real-life data centers yet?

For starters, there's been a lot of talk online and at some conferences regarding the possibility of hypervisor malware and hypervisor weaknesses. This past summer, a security consulting firm called Intelguardians Network Intelligence argued that it may be possible for a hacker to "break out" of a VM's guest operating system and into the host OS of a server. This invites the possibility of installing rootkits and other malware, Intelguardians argues.

Some security researchers discuss the possibility of a "Blue Pill" attack, using a virtual rootkit akin to the one created by security researcher Joanna Rutkowska. This kind of rootkit, the theory goes, can hide in the hypervisor and away from the vision of today's security tools.

Should you worry about these theoretical threats yet? Just how secure is a hypervisor?

"Blue Pill was really targeted as a Windows Vista exploit and never really materialized," says Burton Group's Wolf. "There's not been a significant threat yet." As for the hypervisor threats, he says, "I think the threats there are a bit exaggerated. The key is central monitoring and updating."

More troubling perhaps, says security researcher Chris Hoff: Given today's virtualization and security tools, IT has real trouble seeing into the traffic running between VMs. "Today we've deployed security sprinkled in boxes throughout the network," Hoff says. "But traffic patterns may be such now that trouble doesn’t even hit the network." IT very much needs tools to be able to peek into that inter-VM traffic, Hoff says. "The network and security guys have lost precious visibility," he says.

Another more practical and immediate problem: Separation of duties among IT personnel can radically change in a virtualized environment, Hoff says, as access to more VMs gets loaded into management consoles. That's the kind of security issue a CIO should worry about before worrying about Blue Pill, he says.

Think critically about what kind of applications you're virtualizing in the first place, and be aware, CIOs say. "Now's the time to really assess what is the risk profile of the systems you've put in the virtualized environment," says Arch Coal CIO Michael Abbene.

As one of Abbene's virtualization experts, Microsoft Systems Administrator Tom Carter says of hypervisor malware and Blue Pill, "I'm aware of the facts…but it's low risk to us at the same time. It's a complex attack."

Nonetheless, he's not dismissing the threat entirely: Protecting servers from possible hypervisor attacks is one goal of Abbene's team as it investigates new tools including Reflex Security's virtual security appliance product.

Of course, as with so many security threats, the more high-profile and mission-critical the apps that you virtualize are, the greater the risk. That requires careful planning plus attention to emerging tools. "We've recognized that the risk is expanding," Abbene says. "What we could live with one year ago we won’t be able to live with six months from now."

NEW! Download the State of the CIO 2017 report