Virtualisation offers a lot of advantages but security must already be built in
In an increasingly complex security world, virtualisation promises much - if you build in security from the get-go, says Rob Buckley.
If there is one thing that seems certain, it is that the amount of work involved with IT and IT security is going to increase. With more servers, desktops and devices come more patching, configuration, malware, sources of data leakage, possible points of intrusion, not to mention the task of managing all of that. Wouldn't it be good if – instead of having to do all of that across thousands of devices – it could be done just once?
That is just one of the promises of server and desktop virtualisation technologies such as VMware's vSphere and View, Oracle's VM VirtualBox and Secure Virtual Desktop, Microsoft's Terminal Services or Citrix's XenServer and XenDesktop. Instead of an OS and associated apps running individually on separate devices, virtualisation lets an organisation run several ‘virtual' versions of that software on the same machine, each in its own environment or host. Each of these hosts can be based on a single ‘image' of a standard OS with the correct security policies added and up-to-date software installed. If the organisation needs another server, it can create a new host from the master image; if a server needs to be repaired, all its hosts can be moved to another server. With desktop virtualisation, employees can access their desktop and apps anywhere, on any machine or compatible device that can run a virtual machine ‘player', yet data never leaves the enterprise.
Darren Argyle, security services and compliance management leader at IBM, argues that server virtualisation enables businesses to compete efficiently. “From the IT side, costs per unit of work will fall or the cost of deploying an equivalent physical set of infrastructure will be higher due to reduced complexity, enhanced resource use, recaptured floor space and improved energy efficiency.”
Virtualised desktops also have many advantages. “A lot of organisations are moving to virtualised desktops,” says David Ting, founder and CTO of Imprivata. “Desktop virtualisation has an incredibly good security profile. Not only can you manage the desktop centrally, you can start to tailor the definition for each template for each desktop assigned to a role – you don't need to have any local data stored at the endpoint.”
Matthew Raymond, IT director at Trailfinders, agrees that desktop virtualisation has many advantages. About a year ago, he started looking at it in earnest because of Windows 7. With 28 sites in the UK and two in Ireland, all full of PCs running Windows XP, the idea of a hardware refresh and a new version of Windows had already been enough to prevent a Windows Vista upgrade, but he found the simplicity of VMware's desktop virtualisation software “hugely appealing”. He started a proof-of-concept project, using VMware ESX, VMware View and RES Software's Workspace Manager to manage users' virtual desktop profiles. “Relatively quickly, it worked. It hung together.” Then when a new office was set to open in Exeter last August, Raymond decided to roll out the proof of concept to the new office, albeit with “some level of nervousness”. Such a success was this first site that he has now replaced the PCs at an established office in Norwich with Wyse thin terminals and virtual desktops. He and his team managed to do it overnight. “It is all going brilliantly.”
Potentially, however, that flexibility and centralisation can lead to fresh problems, particularly in security. Consolidating all your servers down to just a few machines results in single points of failure. It could also make it easier for a malicious employee to gain access to far more data. Incorrect configuration can result in poor performance or security flaws. Add to this the increased complexity, additional expertise required and licensing problems and it is easy to see why most firms haven't switched more than a few systems over to a virtualised infrastructure.
Nevertheless, it is possible to reduce and eliminate some or all of these problems with the right techniques and technologies. Initially, before embarking on virtualisation or extending an existing virtualisation strategy, the CIO or CISO should look at the architecture of the planned system and try to reduce complexity. “You need to architect-in security rather than bolt it on afterwards,” says Garry Sidaway, director of security strategy at Integralis. In particular, CxOs should look at where data will flow in the virtualised system and where it will end up. “You need to put in a control process around moving and building VMs,” Sidaway adds.
Paul Simmonds, founder of the Jericho Forum, has a rule of thumb: “You should be able to draw it on a piece of paper. The instant someone comes along and tries to draw a 2x2 matrix or a 3D grid is when you know it's too complicated.”
In general, data with the same levels of security can be allowed to mix in different virtual machines on the same physical server, says Peter Wood, member of the ISACA UK Security Advisory Group and CEO of First Base Technologies. However, data of mixed importance should be kept separated. This is particularly true for systems covered under PCI DSS regulations, which will require more stringent protection for any physical server containing customer data, irrespective of whether the data is separated from other data in a virtual machine.
Nick Seaver of Deloitte's security team says a good idea is to limit functionality of each virtual machine image. By ensuring each machine only does what is necessary, it is possible “to reduce the attack surface susceptible to abuse”, he says.
However, Simmonds cautions against too much simplicity in architecting virtual environments. Although the temptation is to virtualise security, such as firewalls, the possibility of misconfiguration, of overlooking virtualised appliances in updates, harder management and bugs all mean that physical appliances should be used where possible. “It is basic security 101. For each component in security controls, there should be a very simple test to prove if something works or not.”
Network traffic should also be inspected, just as it would be in a normal environment. The risk with virtualised systems is that a malware infection in one virtual machine can spread more easily to a virtual machine on the same system. Data should also be encrypted between virtual machines – as should the virtual machines in transit between servers, to prevent ‘sniffing' of data.
Configuration needs to be correct at the outset. “The number one thing when deploying any kind of technology is to get qualified people to set it up,” says Doug Philips, senior product marketing manager at VMware. “Before delving into anything more complex, set it up correctly, rather than just deploying the out-of-the-box configuration.”
As well as the initial architecture, maintenance is something to consider. With server and desktop virtualisation, the hypervisor that runs all the virtual machines as well as the operating system – if there is one – on which it runs will need to be patched when updates are available. Although security flaws in hypervisors have been infrequent, the potential for such flaws to be exploited – aka ‘hyperjacking' – is there, giving access to all the virtual machines on a server. “It's game over if they control the host OS or hypervisor,” says Wood. “One team needs to be looking after the hypervisor, irrespective of virtual machines.” In particular, he advises against allowing remote admin of the hypervisor, or at the very least using multi-factor authentication.
“It is a growing concern,” says Tim Mather, senior adviser for KPMG's I-4 team. “You need to open up the hypervisor for introspection to see if it has been compromised, but if you do, are you opening it up for attack? Even if you boot from a trusted source, that is great at start-up, but how do you monitor the hypervisor to continue to ensure that it is secure? There is quite a debate in the virtualisation community.”
Even if not fully compromised, the possibility also exists for flaws in the hypervisor to allow ‘jumping' between VMs: a malware attack on one machine, typically less secure, allows for attacks on others – and potentially the hypervisor itself. Some attacks have used two or more VMs to attack more secure ones. There are products available to stop this kind of jumping, however, such as Check Point's Security Gateway VE, which sits as a gateway layer between VMs, at the hypervisor layer or on the LAN, safeguarding VMs. “It can protect the virtual world from anything you can protect in the real world,” says Caroline Ikomi, technical director at Check Point.
Patching should be the same as with any physical production server; however, many organisations focus on the VMs, but not the hypervisors and OS beneath. Nevertheless, hardening of both the hypervisor and the VMs it supports needs to be managed and there are systems such as Dell's Kbox virtual appliance that can help. Although virtualisation enables many VMs to be patched simultaneously, simply through patching the image from which they come, not all VMs may be active at time of patching. Some systems allow for dormant virtual machines to be patched, but others will need them to be activated before they can be patched.
If patching goes awry, backups will become even more important, since so many VMs will depend on the same image. “There needs to be much more upfront planning,” says Ting. “You really need to think through how you will restore systems.”
Most security tools can continue to do the same jobs as before. However, as Mather points out, others will need to be able to look not just at the server and its activity but inside the VMs to monitor behaviours. Equally, performance can be affected by security tools that work with virtual machines but haven't been configured to work with virtual environments: an anti-malware program updating its definitions on a single virtual desktop is not a problem; 1,000 virtual desktops all getting their updates at once will be.
As a result, some virtual vendors have developed APIs that allow security software on the physical server to access VMs – VMware, for example, has APIs called VMsafe and EPSEC (endpoint security), which it and companies such as McAfee, Sophos and Trend Micro use.
Trend Micro's Deep Security product for VMware works with VMsafe and EPSEC to provide intrusion detection and prevention, firewall, integrity monitoring, log inspection and anti-malware capabilities in a single product for virtual machines. “Deep Security is agentless anti-malware,” says Trend Micro's senior security advisor, Rik Ferguson. “We can keep going in through the hypervisor to achieve everything and keep the load light.”
Log inspection is especially important since forensics can also prove difficult with virtualisation, not just in the case of a breach, but also for compliance.“If a transactional server disappears, how do you prove it?” asks Adrian Davis, research analyst at the ISF. “You need to prove whatever happened has been destroyed and you need to prove that what happened actually happened.”
Similarly, the ease with which VMs can be deployed is also a potential problem. If a development team wants to create a new virtual server, it need do little more than copy and paste an existing virtual machine's image, then run it. It is easy to forget that such a virtual machine exists and it can be left running, leaving security flaws without patch management.
Ipswitch's WhatsUp Gold system monitors networks for VMs. “There can be hundreds of VMs and people have forgotten what they were used for,” says Marina Gil-Santamaria, director of product management at Ipswitch's network management division.
One of desktop virtualisation's biggest advantages for security is potentially also one of its biggest disadvantages: its near hardware-independence. With the virtual desktop hosted on a server, integration with USB devices on the end machine, for example, becomes harder. That makes certain equipment, such as biometric readers and smartcard readers, harder to integrate into authentication policies, even if they are available.
However, various companies, such as Imprivata with its OneSign range, offer specific technologies designed to integrate strong authentication with virtual desktop technology.
Finally, there is the age-old risk of the malicious admin, able to hack virtual machines because of his or her near-unrestricted access to the servers and the hypervisor. Wood, Sidaway and Davis all recommend separating duties, so that admins with the access to the hypervisor do not have access to the virtual machines and vice versa. Seaver says that access to the virtual machine environment must be monitored and logged to detect insider threats – and because some attacks may only be visible through anomalies in CPU usage and network traffic patterns. Employees are easier to handle, he says. Desktop virtualisation allows desktop management to be far easier, with different users getting different desktops according to their job roles, their current location, how they logged on, what device they used to log on and even more complex criteria.
In the long term, the advantages of virtualisation are such that server virtualisation, at least, will be something every organisation implements. “Organisations can't afford to have rack on rack of servers doing nothing,” says Davis. Virtual machine penetration increased 50 per cent last year, according to Gartner, which also believes that nearly 30 per cent of all workloads running on x86 servers are now running on virtual machines.
Sidaway argues that advances in network and broadband speeds and the power of mobile devices mean that desktop virtualisation will be something that every organisation will be able to at least consider.
“Soon, you won't need to store files on local drives at all, but that will require a robust trust model,” he says. More and more, the OS will be there just to launch a browser, with everything else being run in the cloud.
Ubiquitous desktop virtualisation still faces problems from licensing, says Raymond. While upfront costs of moving to virtualisation are easy to justify to a board, the ongoing costs “effectively just to use Windows” remain much harder to justify. “It is a cost-saver in the medium term, but the way it is calculated needs to be much more sophisticated,” he says.
Virtualisation offers considerable benefits and in the long term will become an ubiquitous enterprise technology. However, simply because it is easy to implement, it doesn't mean that it should be implemented – at least not without considering and mitigating against the security problems it can cause.
Virtualisation, the cloud and consumerisation
Virtualisation may have been around for a long time now, but new trends are making it even more apposite. Cloud computing provides services and additional computing power over the internet, which in a world of virtualised servers means that virtual machines can theoretically be moved into the cloud when necessary, to provide near-limitless scalability. With more people wanting to use their own computers and smartphones for work (aka ‘bring your own computer' – or BYOC), the management has the potential to be a nightmare.
“Clever people want the latest technology,” says Garry Sidaway, director of security strategy, Integralis. “It is an opportunity to be more efficient and more creative. The question is how you enable that creativity and how you build responsibility.”
Desktop virtualisation means that almost any device can become a corporate desktop, all without any data needing to leave the enterprise or software to be installed on the end devices. Law firm SNR Denton used to have a remote access implementation that involved a VPN and a connectivity client, but it was too slow and only supported 50 concurrent connections from official company laptops. Last September, SNR Denton completed a Citrix virtualised desktop implementation that allows for up to 800 concurrent connections. Rikkii Richman, IT service delivery manager at SNR Denton, said it had unexpected bonuses. “People started using their equipment, rather than company laptops. They preferred their own devices.” Alan McBride, IT infrastructure project manager, says virtualisation and BYOC have had benefits for the business too. “Before, staff had to get a company laptop by prior arrangement. Obviously, there were risks associated with that and even though we have encryption, we don't want to be losing IP. This negates that.”
Chris Jenkins, security business manager at Dimension Data, agrees. “Virtualisation does all of these things very well. Some of the largest partners I work with, including Microsoft and Cisco, have adopted BYOC policies themselves. Employees can buy their own laptops and view their virtual desktop environment on them.” However, he warns that companies should not just assume virtualisation means BYOC is risk-free. “If you allow BYOC, you have to ensure that devices are enabled for remote wipe and employees need to sign up to this policy.”
Companies such as RES Software provide software that can also restrict access to certain functions for virtual software. Grant Tiller, senior product manager at RES, says its software can make local disks read-only and disallow USB sticks.
Jenkins says that server virtualisation within the cloud is also an option, with certain caveats. “The majority of cloud providers are out of the US, so for organisations based in the UK, there might be different rules and regulations around compliance, such as the 2001 Patriot Act.”
Rik Ferguson, senior security advisor, Trend Micro, says it is getting huge interest in its SecureCloud product to avoid the security problems that cloud providers may bring about. “You can provision data to the public cloud in an encrypted format. The virtual machine requests access to the encryption keys you keep, but data is encrypted at all times.”
Case Study: Standard Bank
Standard Bank is the largest banking group in Africa and operates in 33 countries, including the UK. It employs 1,000 staff in its London office, the hub from which it manages all of its international operations outside Africa.
The company was looking to cut down on server sprawl, reduce the amount of new server hardware it had to buy and reduce its power costs, so chose to virtualise a significant number of its servers, says Standard's infrastructure architect, Joel King. By moving to virtualised servers running on VMware, the company was able to avoid the redeployment or purchasing of over 140 new servers.
Security “was not high on the list of concerns”, according to King, in part because there were few virtualisation-aware security products available. “We had lots of DMZ networks and some separate development VLANs. We have normal firewalls, Cisco ASA firewalls, penetration testing by external companies. Anything which we didn't want to have that kind of connectivity in the physical estate, we keep separate in the virtual estate as well.”
King says the company had standard security measures in place as well and had kept the same structure moving into a virtualised environment, following guidance on what needed to be kept physically separate for compliance reasons. Patch management using Microsoft tools remains the same for both physical and virtual environments. The company's technical risk and audit office can inspect inside the environments to ensure compliance with governance requirements. However, AV needed special considerations. “We had to have a good look at the times AV was running: if they all run at the same time during business hours or when the server is under load, that can put strain on the physical host.”
Following the success of its server virtualisation programme, Standard Bank began looking into the potential benefits of desktop virtualisation and has now rolled out VMware View to 70 per cent of its 1,000 users. Having greater visibility of end-user machines means that, should the IT team notice any abnormal behaviour that could constitute a security threat, it can gain instant remote access to the end-user desktop to investigate and react quickly to any potential issue. Similarly, with information now stored centrally rather than on each individual PC or laptop, the risk of data loss has also been drastically reduced and recovering after any major outage is far easier to manage.
“We use it for remote working as well, which is one of the major benefits we have got from this solution,” says King. “The security office decided that it didn't want people to VPN with a traditional client, so we use the Cisco ASA SSL VPN. It is just a browser-based VPN. You log in with a secure token and password and you get the View client.”
A move to a server virtualisation infrastructure is now being planned, in order to increase virtualisation to about 90 per cent. King says security is already being considered. “We are looking at potentially virtualising DMZs using vShield zones. We are looking at our security products: we use Trend Micro products and we've looked at betas of products such as Deep Security. We are looking more towards an environment where we just segregate virtually, rather than keeping segregation physical.” The new platform should also allow access virtualisation within both private and public clouds. “We are looking to build up into more of a self-service, provisioned environment based on virtualisation,” King adds. This, of course, will bring its own security implications that King is still considering, with VMware's Cloud software providing a possible architecture.