By freeing the IT infrastructure from cocoon of the “one application, one server” rule, which often led to the over-capacity of the system becoming underused and expensive, virtualization symbolises a major shift in IT practices.
With the advent of virtualization and the associated move of hosting multiple virtual machines on a single server, many of the problems related to IT infrastructure have now disappeared. Virtualization is now a mature concept even in developing markets, including India. Depending on their respective strategies, organisations are adopting open source or propriety virtualization architectures.
Virtualization is widely adopted in data centres today to enable cost effective multi-tenancy with more optimal use of compute resources. Architected for cloud computing, these new data centres are a combination of physical servers and virtual workloads. However, virtualization also introduces a completely new set of security challenges — and this means that the data centre requires an even more pervasive range of security options.
IDC estimates that the economic impact of server virtualization in India will be $3.89 billion by 2020. This takes into account on the finances that can be saved in servers, power, cooling and real-estate. According to Gartner, by 2015, almost 20% of overall VPN / Firewall market will be deployed using virtual infrastructure and 100% of overall IT security product capabilities will be delivered from the cloud.
Physical security devices were not designed to protect the new virtual components architecture of virtualization. The security professionals need to recognise what new threats come with virtualization and adopt their security practices to accommodate them.
Perils of Virtualization
Not many organisations are prepared to handle security threat of the virtual world. Physical security devices residing outside the virtual infrastructure may be able to provide basic levels of security to the physical network, but they do not provide the visibility and control within the virtual infrastructure that is needed to address new virtualization challenges. Many companies are trying to use the same methodology and tools in the virtual environment that are typically used in physical environments and this is difficult to work with.
In an era, where the enterprises are toying with the idea of virtualization across the layers of their IT fabric, be it server or the endpoint (desktops), Nilesh Goradia, Head of Client Virtualization & Mobility Business-Citrix India, says server virtualization is no longer new to Indian enterprises. Desktop virtualization might not be large as of now, but it is growing fast.
A ZDNet’s IT Priorities 2013 research report report found that about 43% organisations in India had virtualized their server environments.
Jagjit Singh Arora, Director – Regional Sales, Red Hat India, says, “It is important to make sure that the host physical machine and its operating system are not compromised in any way while deploying virtualization technologies. This is because, if the host physical machine is insecure, all guest virtual machines in the system will be exposed and vulnerable to the threat.”
Sajan Paul, Director – Systems Engineering, India & SAARC, Juniper Networks, is of the view that the traditional network security appliances are blind to any communications between virtual machines (VMs) within a single host. This opens up a potential for security attacks such as inter-VM attacks; an attacker may compromise one virtual machine and then leverage that VM as a springboard to attack other VMs on the same host. The more VMs resident on a host, the more effective the potential attack. The attacker can also use a compromised VM to launch an attack on the hypervisor itself – a technique known as hyper jacking. “Since the hypervisor is the critical piece of software that controls all of the VMs running on a single piece of hardware, it’s a very natural attack target,” he says.
Goradia agrees with the need to secure not just the host, but hypervisor as well. He reasons that since hypervisor is the virtual machine manager, a program that allows multiple operating systems to share a single hardware processor, it is very important to secure it.
“Enterprises may have to deal with a combination of OS and their vulnerabilities. For instance, there could be some really large enterprises with about 500 servers, dealing with multiple OS environments. Thus, the enterprises need to develop security systems to enable them manage OS security from the hypervisor itself so that they needn’t worry about security of the OS. This brings down the cost of setting up security system and managing their updates,” he asserts.
BS Nagarajan, Director – Systems Engineering, VMware India & SAARC, believes that security is no longer a major concern for organisations evaluating virtualization and that some of their customers like HDFC Bank had virtualized servers about seven years back. He says, “For many organisations virtualization is not a choice, but a need.”
“As more customers are now moving from Unix to x86 servers, it is becoming imperative for them to virtualize,” he says.
Talking about the desktop virtualization, Goradia of Citrix says that as desktop virtualization is based on hypervisor technology, securing it also requires extreme care, just as in the case of the hypervisor.
“Since there could be multiple users of a virtual desktop, the organisations need to have effective security locks so that user may not need to download information to access it,” he says.
In such cases enterprises have tried to secure with the DMZ or the perimeter network concept. “If a user has to connect with the data centre he has to go through the perimeter network that validates the user, the tools of the network will decide what information will go to which resource.”
But the job doesn’t end here, as the perimeter network can also fail, or other times, the virus/malware could be riding on the endpoint device, so there is need to analyse the device as well.
Nagrajan points out that such things were more successful when company provided devices needed to connect through VPN, but things got more complicated in the BYOD (bring your own device) scenario.
Thanks to the software defined networks, the organisations have also scaled up from their traditional antivirus and malware solutions. “The trend now is to reverse identify the source of threat and wipe it there,” says Goradia.
Easing it with identity
Stressing that data theft risks increase in virtualized environments, Vic Mankotia, Vice President of Solution Strategy for Asia Pacific and Japan at CA Technologies, says the Firewall passwords are not intelligent enough. In such cases, identity management becomes crucial.
“A user identity can become the perimeter, it is a stepped up way of authentication. Since we work at the Kernel level, we can we even identify virtual images,” Mankotia says.
Another important aspect of virtualization is that assets can be downloaded from the Internet. Yuvraj Pradan, SE Lead-India, McAfee, observes that a number of virtualization vendors offer pre-configured virtual appliances. These appliances are built and optimised, often through community contributions, and are typically meant to serve very specific purposes such as a firewall or an Internet browser appliance.
“The security risk associated with these appliances is lack of control on the contents of the appliance itself. Malware or other dangerous elements could be downloaded with the appliance. Once installed within a corporate environment, malicious software can then go about its nefarious activities for example, passive information gathering over the network. Just as organisations have very strict rules with regard to placing unapproved hardware (and software) onto the network or even powering it on, it is equally important to enforce a similar set of rules on virtual machines and especially downloaded third-party appliances.” Pradan says.
A further complication to keep in mind is that most of the virtualization technologies available today support complex networking schemes that can make such “rogue” virtual machines essentially undetectable by the network while still providing them with unrestricted access to the host as well as the network itself, he adds.
In times, when virtualization is making inroads in various aspects of a data centre—server, storage and network, Pradan opines that it is difficult to say only one piece of the gamut is vulnerable.
“Administrators need the ability to monitor the virtual environment, understand it, replay what happened, and see what the environment looks like at any given time to determine the best way to troubleshoot and control the environment. IT departments need a tool that shows a visual representation of the virtual environment as well as real time and historical reporting to show what changed, who changed it, when it was changed, what happened from a network perspective to cause the event, and how this event relates to the security of the entire network infrastructure,” Pradan says. Basically, securing the virtualized environments is a matter of efficient planning.
Plans for Virtualization
There are numerous ways of enhancing security on systems using virtualization, but the organisation must have a plan, says Arora of RedHat.
“The organisations must have clear understanding operating specifications, specifications regarding services are needed on guest virtual machines, specifications regarding the host physical server and specifications regarding the kind of what support that is required for these services,” Arora says.
Tarun Kaura, Director-Technology Sales-India, Symantec opines that right planning is critical as the market lacks the maturity to decide what information resides on premise and what moves to cloud. The enterprises must realise that corporate IP should not be out.
For effective planning, Kaura recommends that security team should be a part of the data center design team. “An end to end security policy and checkpoint should be in place,” he says.
Security in post virtualization era
There has been subsequent security technologies developed to protect the virtualized environments each with its own sets of advantages. virtualized environments have resulted in easier adoption of cloud based data centers and environments. Some of the key security trends have been to help undertake consolidation of security across the hybrid models and how effectively do enterprises leverage existing security solutions and platforms to provide a unified security framework to manage both set of technologies.
Also there has been a gradual push to develop security solutions for virtualized platforms such as agent less technologies for protecting virtualized server infrastructure. With various cloud based infrastructures being set up such as Amazon Web Services, Rackspace, etc. There is a need to protect these infrastructures too and hence the need for a holistic security framework for protecting them with emphasis on customer data privacy and advance persistent threat protection.