Securing the virtualised environment

Watch out for Storm Worm, Blue Pill and other cyber threats

Binary over monitors abstract

More and more small companies are virtualising their infrastructure, but many fail to realise that such systems are as likely to be prone to hacking and cyber attacks as their physical counterparts.

This means that as far as security is concerned, the IT manager has to put as much thought into securing virtual servers as they would with physical servers. While the environment is virtual, the threats are very real.

More and more cyber criminals have virtualised infrastructure in their sights. According to Srinivas Mantripragada, Vice President of Technology at network security firm Infoblox, one such example of malware attacking virtualisation is the Storm Worm. This uses virtual machine detection techniques to put itself to sleep in VMware or Microsoft virtual environments.

Other threats include hardware virtualisation rootkits, such as the Blue Pill identified by security researcher Joanna Rutkowska.

"The supposed threat embodied by Blue Pill is that one could create a piece of malware that also was a virtual machine monitor (VMM)," says Mantripragada. "If the VMM could take over the host operating system, then it could potentially hide a virus from that virtual machine by remaining within the VMM.

"The reality is that the very infection technique to which the creator alludes can be used to discover and disarm the exploit."

Lack of knowledge

There is evidence that companies are not taking these threats as seriously as they should. A poll carried out by IT security firm Kaspersky in June of last year found that 42% of firms thought their virtual servers were more secure than physical ones, despite one in three admitting their knowledge of virtualisation was basic.

David Emm, Senior Security Researcher at Kaspersky Lab, says that while the potential security risk to the physical server is acknowledged, the risk to virtualised systems running on it is overlooked. There is a belief that their security is somehow built-in, or they are protected behind the physical computer's security.

"It is vital that virtual systems are considered in the same way as physical servers when developing a business security policy," Emm says. "The server may be virtual, but the data is real and must be secured."

Smaller businesses may not have the dedicated personnel on hand to fully understand virtualised infrastructure and how it can be safeguarded. So what can IT managers here do to ensure virtual workloads run safely?

Mantripragada says that IT professsionals should ensure that the right combination of processes and products are put in place to minimise risks.

"Anti-virus software should be deployed across all systems commonly at risk of being affected by malicious software, particularly personal devices and servers, and with special attention given to hypervisors," says Mantripragada.

Cloud challenge

Andrew Carr, UK and Ireland chief executive at Bull says that bringing a private cloud and pervasive virtualisation to reality is invariably a daunting task, particularly for small to midsized businesses.

"They need to ensure they understand the requirements of business critical applications on their private cloud and that they can meet service level agreements (SLAs) by adopting an approach based around flexibility, agility and security," Carr says.

He adds that the Holy Grail for most organisations looking to establish a secure virtualised environment will be something that is "ready to run", which keeps IT infrastructures simple while meeting the SLAs required for any type of application.

"Critically too, from the security perspective, any platform chosen needs to embed the highest levels of security to ensure controlled access, secure connections and monitor safeguarding of data," he says.
Lee Newcombe, Managing Information Security Consultant at Capgemini, says that in a purely physical environment it can be straightforward to identify security domains and associated boundaries, but it is more problematic in the virtualised world.

"An organisation can virtualise its networks, devices, operating systems and storage, but there remains an issue around whether any virtualised boundaries are adequately secured to meet the requirements of the business," Newcombe says. "There is a fundamental prerequisite to make sure that there is a common understanding of the security requirements."

He says that, depending on the requirements of the business, some defined security boundaries can be put in place. The organisation can then start to make sensible decisions about the suitability of virtualising specific components and the relevant controls to apply.

"Tools are available to monitor traffic traversing virtual networks and to control or monitor traffic between virtual machines sharing a physical host," Newcombe says. "As ever, the trick is in identifying the correct tool to meet the underlying requirement. Traceable security architecture can be very helpful."

But it is not just the external threats that need to be looked at. The biggest threats to both physical and virtual environments are internal, says Paul Marsh, Senior Director, Technology Infrastructure at Avanade UK.

"This does not mean there is a tendency for employees to be malicious but that mistakes can happen which could have big repercussions," he says.

"SMBs in particular have small IT teams or outsource parts or all of their IT, which means that they really need to ensure that they're in control of their virtualised environments to