Off The Cuff Review: Nemertes Research’s “Virtualization Risk Analysis”
I just finished reading a research paper from Andreas Antonopoulous from Nemertes titled "A risk analysis of large-scaled and dynamic virtual server environments." You can find the piece here:
Executive Summary
As virtualization has gained acceptance in corporate data centers,
security has gone from afterthought to serious concern. Much of the
focus has been on the technologies of virtualization rather than the
operational, organizational and economic context. This comprehensive
risk analysis examines the areas of risk in deployments of virtualized
infrastructures and provides recommendations
I was interested by two things immediately:
- While I completely agree with the fact that in regards to virtualization and security the focus has been about the "…technologies of virtualization rather than the
operational, organizational and economic context" I’m not convinced there is an overwhelming consensus that "…security has gone from afterthought to serious concern" mostly because we’re just now getting to see "large-scaled and dynamic virtual server environments.’ It’s still painted on, not baked in. At least that’s how people react at my talks.
- Virtualization is about so much more than just servers, and in order to truly paint a picture of analyzing risk within "large-scaled and dynamic virtual server environments" much of the complexity and issues associated specifically with security stem from the operational and organizational elements associated with virtualizing storage, networking, applications, policies, data and the wholesale shift in operationalizing security and who owns it within these environments.
I’ve excerpted the most relevant element of the issue Nemertes wanted to discuss:
With all the
hype surrounding server virtualization come the inevitable security
concerns: are virtual servers less secure? Are we introducing higher
risk into the data center? For server virtualization to deliver
benefits we have to examine the security risks. As with any new
technology there is much uncertainty mixed in with promise. Part of the
uncertainty arises because most companies do not have a good
understanding of the real risks surrounding virtualization.
I’m easily confused…
While I feel the paper does a good job of describing the various stages of
deployment and many of the "concerns" associated with server
virtualization within these contexts, I’m left unsatisfied that I’m anymore prepared to assess and manage risk regarding server virtualization. I’m concerned that the term "risk" is being spread about rather liberally because there is the presence of a bit of math.
The formulaic "Virtualization Risk Assessment" section is suggested to establish a quantatative basis for computing "relative risk," in the assessment summary. However, since the variables introduced in the formulae are subjective and specific per asset, it’s odd that the summary table is then seemingly presented generically so as to describe all assets:
Scenario | Vulnerability | Impact | Probability of Attack | Overall Risk |
---|---|---|---|---|
Single virtual server (hypervisor risk) | Low | High | Low | Low/Medium |
Basic services virtualized | Low | High | Medium | Medium |
Production applications virtualized | Medium | High | High | Medium/High |
Complete virtualization | High | High | High | High |
I’m trying to follow this and then get smacked about by this statement, which explains why people just continue to meander along applying the same security strategies toward virtualized servers as they do in conventional environments:
This conclusion might appear to be pessimistic at first glance.
However, note that we are comparing various stages of deployment of
virtual servers. A large deployment of physical servers will suffer
from many of the same challenges that the “Complete Virtualization”
environment suffers from.
Furthermore, it’s unclear to me how to factor in compensating controls into this rendering given what follows:
What is new here is that there are fewer solutions for providing
virtual security than there are for providing physical security with
firewalls and intrusion prevention appliances in the network. On the
other hand, the cost of implementing virtualized security can be
significantly lower than the cost of dedicated hardware appliances,
just like the cost of managing a virtual server is lower than a
physical server.
The security solutions available today are limited by how much integration exists with the virtualization platforms today. We’ve yet to see the VMM’s/Hypervisors opened up to allow true low-level integration and topology-sensitive security interaction with flow classification, provisioning, and disposition.
Almost all supposed "virtualization-ready" security solutions today are nothing more than virtual appliance versions of existing solutions or simply the same host-based solutions which run in the VM and manage not to cock it up. Folding your management piece into something like VMware’s VirtualCenter doesn’t count.
In general, I simply disagree that the costs of implementing virtualized security (today) can be significantly lower than the cost of dedicated hardware appliances — not if you’re expecting the same levels of security you get in the conventional, non-virtualized world.
The reasons (as I give in my VirtSec presentations): Loss of visibility, constraint of the virtual networking configurations, coverage, load on the hosts, licensing. All really important.
Cutting to the Chase
I’m left waiting for the punchline, much like I was with Burton’s "Immutable Laws of Virtualization," and I think the reason why is that despite these formulae, the somewhat shallow definition of risk seems to still come down to nothing more than reasonably-informed speculation or subjective perception:
So, in the above risk analysis, one must also
consider that the benefits in virtualization far outweigh the risks.
The question is not so much whether companies should proceed with
virtualization – the market is already answering that resoundingly in
the affirmative. The question is how to do that while minimizing the
risk inherent in such a strategy.
These few sentences above seem to almost obviate the need for risk analysis at all and suggests that for most, security is still an afterthought. High risk or not, the show must go on?
So given the fact that virtualization is happening at breakneck pace, we have few good security solutions available, we speak of risk "relatively," and that operationally the entire role and duty of "security" within virtualized environments is now shifting, how do we end up with this next statement?
In the long run, virtualized security solutions will not only help
mitigate the risk of broadly deployed infrastructure virtualization,
but will also provide new and innovative approaches to information
security that is in itself virtual. The dynamic, flexible and portable
nature of virtual servers is already leading to a new generation of
dynamic, flexible and portable security solutions.
I like the awareness Andreas tries to bring in this paper, but I fear that I am not left with any new information or tools for assessing risk (let alone quantifying it) in a virtual environment.
So what do I do?! I still have no answer to the main points of this paper, "With all the
hype surrounding server virtualization come the inevitable security
concerns: are virtual servers less secure? Are we introducing higher
risk into the data center?"
Well? Are they? Am I?
/Hoff
So what do I do?! I still have no answer to the main points of this paper, "With all the hype surrounding server virtualization come the inevitable security concerns: are virtual servers less secure? Are we introducing higher risk into the data center?"
Well? Are they? Am I?
Dirty Harry said it best:
"You've got to ask yourself a question: Do I feel lucky?"
Hoff,
Thanks so much for taking the time to read and respond to our analysis on virtualization security. I think the reason you are feeling that you are left with no answers is that this paper does not stand in isolation. It was published to debunk some of the hype that has focused all attention on hypervisor security, which misses the point (as I think you agreed). There are 3-4 companion papers to this that address the parts that you were left wanting: best practices, deployment practices, products and technologies to address the problem. Unfortunately those papers are only available to our retainer clients. We have to be selective as to which papers we make available for free and which papers we offer for fee.
In 2 months we will start a large research benchmark project on virtualization, in order to collect more data points on current practices. We expect to use that research to publish papers, conduct webinars and present at conferences starting in Q2'08.
Thanks again for the feedback.
Andreas
Andreas:
Thanks for the comment. I totally agree that the biggest challenge we have today is operational and organizational.
I've seen your best practices paper and it is very good.
I am really interested in discussing with you the trend you mention where security is less an afterthought.
As the solutions emerge in the security space (as they have in the management space) I think this is going to get even more confusing; it's going to be a gold rush for security vendors and even more confusing for customers.
/Hoff
Tell me your virtualization security story
0vote
Earlier today my colleague Rob Westervelt wrote about VMware’s plans to unveil what it calls VMsafe — a partnership program with Symantec, McAfee, the Internet Security Systems division of IBM, EMC’s RSA security division, and Check Poin