Speaking at the Cloud Services SIG on July 27, 2010 at VMware in Palo Alto, Kelly Robertson, CEO of 9Proof Americas, explained the special security concerns that enterprises face in virtual environments.
Robertson joked that adding together the dictionary definitions of virtual and security amounted to “simulated freedom from risk or danger,” which hardly bodes well for security in this new age where more and more servers are virtualized and virtualization has become a key technical enabler of cloud computing.
Robertson stressed that any security system must account for every layer in the stack because the security of the entire system is only as secure as its weakest link. Organizations must not only protect data in transit and data in storage but also data in use. Each link in the chain must be guarded to make virtualization safe.
Robertson explained several security concerns specific to virtualization. In virtual environments, Robertson said, users tend to spin up and turn off servers with greater frequency than ever before, creating a virtual sprawl of ephemeral servers. This dynamic sprawl does not fit neatly within traditional IT practices and lines of authority, leading to a piling on of responsibilities and the taking of shortcuts that put security at risk.
Because multiple virtual machines share the same physical server, Robertson said, a hacker who breaks into one of those virtual machines gains a beachhead that puts the other virtual machines on the physical server at greater risk. These virtual machines share the same physical memory and physical storage. In many cases, according to Robertson, virtual machines on a single server exist on the same network without a firewall between them, which gives an advantage to a hacker who has broken into one of these systems.
Another threat in a virtual environment, according to Robertson, is of a hacker gaining control of the hypervisor layer, the software that executes and monitors the guest operating systems. Control of the hypervisor would enable a hacker to attack the guest operating systems in a manner that was undetectable. This sort of attack, known as Blue Pill, was prototyped by security researchers in 2006. However, Robertson pointed out, there is no evidence that hackers have ever managed to use this sort of attack against production systems.
Robertson described BladeBox, a product offered by his firm, 9Proof America, that protects data in a virtual environment by encrypting the data and surrounding it with an application firewall, which restricts access to applications maintained in a white list. Even if access to the data is compromised, it cannot be accessed by rogue applications.
Check out DJ Cline’s photos of the event at http://www.djcline.com/2010/07/29/july-27-2010-sdf-cloud-virtual-security/.