VMware leak highlights holes in virtual environments

Opinion by Jason Bandouveres

Virtualisation giant VMware recently scrambled to release security patches for an ESX server hypervisor source code leak that was published in April.

Virtualisation giant VMware recently scrambled to release security patches for an ESX server hypervisor source code leak that was published in April.

The patch repaired critical vulnerabilities that could have enabled an attacker to execute malicious code remotely on the host and leave an end-user's virtualised environment susceptible to a compromising cyber attack.

Among other things, the incident called into question the security of virtualised data and, for some, how the eventual migration to a virtualised network infrastructure would ultimately impact an organisation's security standing.

No doubt the transportable nature of a virtual environment generally adds another layer of complexity in the overall security of the network that can often leave holes if organisations aren't aware of the location of their data or what it takes to secure it.

But whether virtual data is more or less secure largely depends on the calibre of organisations' security posture, experts say, and opinions on how to secure a virtual environment are as numerous and diverse as the organisations that house them. There is no single answer, you need to assess what that environment is, what they're trying to do and put the proper pieces in place.

The security of the virtual system will largely depend on the nature of the organisation as well as the type of virtual data and infrastructure needing to be secured. But regardless of how complex or unique the organisation's infrastructure needs, there are some basic security requirements that are necessary throughout all virtual environments.

First, while organisations will progressively virtualise more and more of their infrastructure, they still need to adopt some kind of hybrid environment and create some kind of a balance with both physical and virtual security mechanisms to adequately secure their data because, ultimately, whether secured via a physical or virtual system, data stored via the virtual environment needs to be protected.

Also, physical security is at the core of the network. You need to secure the perimeter of that virtual environment, whether private or public cloud, and you still need to protect those physical assets and links.

Your virtual environment is running on some type of hardware, there are physical servers, there's physical storage, network, etc. Security devices are definitely necessary to protect the perimeter of these environments.

Also, in a multi-tenant or multi-client environment, the providers need to configure segregated security zones just as they would in physical environments. At this point, they will be required to invest in secure virtual appliances to secure these zones from each other so that traffic won't be required to route out of the virtual environment through physical security appliances and routed back into the virtual environment to employ a proper security zone.

The beauty of these virtual machines is that they could be running anywhere in that cloud, but the cloud provider needs to segregate one tenant from another tenant to make sure there's no leak.

There are certain compliance regulations that need to be met, so there is no potential security issues. You need to make sure you have a rock-solid security policy and segregate those aspects in a virtual environment as well. You could have assets that shouldn't be talking to or sitting near other data on the physical servers. You need to secure inter-VM traffic and different workloads on the same physical host. You don't generally have that issue in a physical environment.

In addition, it's essential to have a central management system that can monitor both their physical and virtual security environments via a single pane of glass in order to avoid the efficiency bottlenecks and productivity gaffes created by complicated multi-management servers.

Finally, as with physical data, virtual data is often most vulnerable when it's lost or unaccounted for. However, unlike physical systems, the mobile nature of virtual systems enables workloads to be transported easily from one host or server to another. As such, organisations increasingly are required to have security policies that reflect that development.

It's not something you see in the physical world. That server is never going to move. In a virtualised environment, they've got full load-balancing set up. You could see that workload move, and you need to be able to secure that.

Jason Bandouveres is a senior product specialist at Fortinet


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events