Home > Virtualization > Are Virtualization Laws That Are Immutable, Disputable?

Are Virtualization Laws That Are Immutable, Disputable?

Moses
A few months ago, Pete Lindstrom shot me over the draft of a Burton paper on virtualization security.  We sputtered back and forth at one another, I called him names, and then we had beer later.

The title of the paper was the "Five Immutable Laws of Virtualization Security."

I must admit, I reacted to what he sent me in a combinational fit of puzzlement and apathy.   I really couldn’t put my finger on why.  Was it the "not invented here syndrome?"  I didn’t think so.  So what was it that made me react the way I did?

I think that over time I’ve come to the conclusion that to me, these aren’t so much "immutable laws" but more so derivative abstractions of common sense that left me wondering what all the fuss was about.

Pete posted the five laws on his blog today.  A more detailed set of explanations can be found on the Burton blog here

I dare you to read through these without having to re-read each of them multiple times and then re-read them in cascading sequence since (hint) they are recursive:

Law 1: Attacks against the OS and applications of a physical system
have the exact same damage potential against a duplicate virtual system.

Law 2: A VM has higher risk than its counterpart physical system
that is running the exact same OS and applications and is configured
identically.

Law 3: VMs can be more secure than related physical systems
providing the same functional service to an organization when they
separate functionality and content that are combined on a physical
system.

Law 4: A set of VMs aggregated on the same physical system can only
be made more secure than its physical, separate counterparts by
modifying the configurations of the VMs to offset the increased risk
introduced by the hypervisor.

Law 5: A system containing a “trusted” VM on an “untrusted” host has
a higher risk level than a system containing a “trusted” host with an
“untrusted” VM.

Ultimately, I’d suggest that for the most part, these "observations" are correct, if not oversimplified in a couple of spots.  But again, I’m left with the overall reaction of "so what?" 

Pete even mentions the various reactions he’s been getting:

I have been getting interesting reactions to these. Some say they
are wrong. Some say they are common sense. Some just don’t like the
word "immutable." I think they serve to clarify some of the confusion
that comes up when discussing virtualization by applying fairly
straightforward risk management principles.

I want to believe that somehow these "laws" will enable some sort sort of actionable epiphany that will magically allow me to make my virtualized systems more secure, but I’m left scratching my head regarding who the audience for this was?

I don’t think it clarifies any "confusion" regarding risk and virtualization and I’m puzzled that Burton suggests that these "laws" will enlighten anyone and dispel any confusion relating to whether or not deploying virtualization is more or less risky than not deploying virtualization:

In reality, we can apply traditional security practices to
virtualization to determine whether risk increases or decreases with
new virtualization architectures. It shouldn’t be surprising that the
increase or decrease in risk is predicated on the current architecture.
Here are five laws to live by when evaluating your virtualization
architectures.

When combining the standard risk principles with an understanding of
the use cases of virtualization, a set of immutable laws can be derived
to assist in securing virtual environments

So, I’m with the "common sense" crowd since most of these "laws" have been discussed — and some practical advice to go along with them — for quite some time before the "Burton Tablets" came down from the mountain.

So I don’t disagree, but I’m reminded of a couple of good lines from a bad movie wherein the nasty knight says to the good knight "you’ve been weighed, measured and found wanting…"

So, there we are.  My $0.02.  I think I’ll add a slide or two about this at the virtualization forum next month…

/Hoff

Categories: Virtualization Tags:
  1. January 16th, 2008 at 16:28 | #1

    Applying Virtualization Security Immutable Law no. 2

    Chris Hoff had some tough things to say in his post about the Five Immutable Laws of Virtualization Security: I think that over time I've come to the conclusion that to me, these aren't so much immutable laws but more so derivative abstractions of comm…

  2. January 18th, 2008 at 19:28 | #2

    Interesting post. Those laws are mostly common sense (especially to anyone with a moderate computer security background and a basic understanding of virtulization). I don't think is anything wrong with stating the laws other than maybe calling them laws.
    They are good for a management or IS audit perspective who must deal with a wide array of systems and who do not always have the time or resources to analyze virtulization.
    The laws are good from the point that they raise awareness even if what they are pointing out should be common sense.
    Today I had the opportunity to listen to and meet one of Burton's Senior Analyst, Chris Wolf, discuss virtulization and related security considerations. The biggest risk with VMs he believed was rogue VMs installed on user's desktops. He explained few companies monitor for VMs and if they do monitor know what is on those VMs. The chances of a user running a poorly secured VM is greater than the chances of an IT department not properly configuring a VM.
    Enjoyed hearing your thoughts on virtulization. Good luck with the upcoming conference (the one you posted about having free tickets to a couple of weeks ago).

  3. January 18th, 2008 at 19:59 | #3

    Thanks, Matt.
    I respect Chris Wolf's work but I, like you, seem to react strongly to the notion that they're "laws." Laws to me need empirical data to prove that they can be held true under all conditions.
    I've offered corner cases that tend to fuzz some of the corollaries of these "laws" but also not definitively enough to outright challenge them.
    I plan to bring these up during my preso.
    Also, I think that Chris is correct. Rogue VM's are going to be a huge problem.
    Check out this blog entry from May of last year regarding a real-world example I suffered through: http://rationalsecurity.typepad.com/blog/2007/05/
    Thanks for the comment.
    /Hoff

  1. No trackbacks yet.