The impact on security of virtualisation and cloud computing

OPINION: The virtues of virtualisation and cloud computing willfigure in most enterprise IT infrastructure discussions during2010. But as the industry moves towards a new IT infrastructureplay, what are the implications on IT security?

This article was contributed to OUT-LAW.COM by Gert Hansenof Astaro.

Virtualisation has already proven its worth in delivering costsavings through server consolidation and better use of resources.Greater use of the technology across server infrastructures, inother areas of the IT stack, and at the desktop is widelyanticipated.

The uptake of Software-as-a-Service applications such assalesforce.com, and the success of IT service outsourcingdemonstrate how centralised remote computing approaches can alsoprovide more efficient ways to deliver technology resources tousers, helping cloud computing to gain greater buy-in fromcorporate decision-makers.

Why should security professionals be concerned?

According to research from Gartner, around 16% of all serverswithin enterprise IT environments are now virtualised, and the firmexpects this to increase to around 50% by 2012. The market leaderin this space, VMware, now has over 150,000 customers. Microsoft'svirtualisation product Hyper-V is effectively free with the latestversion of Windows Server, encouraging take-up of the technologyand making it more accessible to the smaller business.

With any technology that is growing in importance to enterprisesof all sizes, it is expected that malware writers will attempt toattack the virtualised environments, either to hijack workloads orsteal critical data. An example of how virtualisation is beingconsidered alongside security is the Payment Card Industry's DataSecurity Standard, where a Special Interest Group has been set upto discuss the role of virtualisation within retailers’ networks,as well as how this has an impact on protecting credit and debitcard payment data.

There are three main attack targets on a virtualisedenvironment:

• The virtual machine workload, which will consist of an OS,applications and data, similar to a traditional serverworkload;
• The hypervisor itself;
• The management APIs that are used to control the virtualmachines and integrate with other IT management products.

For the security team, the biggest issue facing them is oftennot being involved in the implementation of virtualisation in thefirst place. As this technology has often started life in test andQA environments, it has not been part of security's remit.

As the use of virtualisation spreads into more productionenvironments, security has to be a core concern. This includesevaluating business continuity aspects, as the proportion ofworkloads affected by an outage or virus attack will be much higherin a consolidated environment.

The first consideration is that traditional security skills arebeing applied to the virtualisation environment. This can be moredifficult, as virtual machines can move around the IT estate asbusiness demands and workload priorities evolve.

The emphasis has to be on planning and awareness of thepossibilities that this shifting environment represents. Keepingthe virtual and physical network traffic separated through use ofVLANs is the first step, followed by implementing intrusionprevention and firewall systems that can monitor and inspecttraffic between the virtual machine host servers. For organisationsthat are looking at desktop virtualisation, rolling out anti-viruswithin the guest machines is still a necessary step, even thoughvirtualising the session makes any patching or virus clean-up mucheasier and faster.

The next consideration is how virtualisation can potentiallyimprove security planning and execution. As virtual machines areisolated environments, it makes it easier to run multi-tenantenvironments where separation is required, even on the samehardware. This is particularly useful for managed serviceproviders, where virtualisation allows them to host more customerson the same amount of physical kit.

New approaches to security in a virtualised environment

Hardened virtual appliances, which are purpose-built virtualmachines for a specific task, are also becoming more popular withorganisations, as they can help the security function to benefitfrom the same results around virtualisation as the rest of thebusiness.

A research report from IDC in December 2009 stated that virtualsecurity appliance budget allocations will continue to grow overthe next year to 18 months, as the total cost of ownership resultsare better than using separate point software products or dedicatedhardware.

The other area where new approaches to security are beingconsidered is the cloud. Cloud computing can mean different thingsto different people, but the most common definition is using theinternet to deliver a reliable service to users, where the amountof that service can be scaled up or down depending on demand. Thisflexibility, coupled with a 'pay-as-you-go' billing model, makes itattractive to organisations where capital expenditure is heavilyreduced or where it is hard to get budget sign off.

The potential for cloud computing is huge, as it can make ITservice delivery more efficient and cost-effective. However thecloud faces several major hurdles, the biggest of which is aroundsecurity.

As data will be moving out of the company's direct control,security and privacy concerns are significant, especially in thoseindustries where regulations on data retention and ownership are inplace. Establishing the cloud as a trustworthy platform for thebusiness will be an ongoing concern, no matter how attractive thepotential savings. 

The biggest issue to remember is that all the data involved isyours. Even though it may be residing on another company’s storage,it is the responsibility of the customer to ensure that it remainssecure.

Due diligence on the cloud provider and continually askingquestions about how your partner or potential provider keeps theirnetwork secure is essential. Visiting the data centre personallycan be another step in building trust. If moving completely intothe cloud does not suit the business, then taking a trusted partnerthat can manage the systems on your premises remotely can be asuitable ‘halfway house’ that can deliver the cost benefits of fullcloud, while retaining some control.

Software-as-a-Service providers have already made some headwayin demonstrating how trust and security around data can be gained.As this process continues to gather steam, security providers arealso looking at how the cloud can make procedures moreefficient.

Examples of where cloud-based services can be effective includeemail archiving and web security, as the value for the organisationis in managing the process efficiently, rather than hosting theproducts or service on-site.

As organisations roll out further virtualised infrastructures ormove their workloads into private and/or public cloud environments,the security team has to be involved in establishing best practicesaround these shifts in strategy.

What virtualisation and cloud can provide to the business intandem with security is more efficient management and automation ofnon-critical IT functions. In an age where IT resources are morestretched than ever before and the pressure is on to deliver betterresults on static budgets, this represents a significantopportunity to deliver the results that businesses need in order toremain competitive.

As these technologies move into production, the right securityplanning can ensure that the use of virtualisation or cloudcomputing actually deliver the promised benefits.

By Gert Hansen, Chief Software Architect of internetsecurity specialist . The company isexhibiting at on 27th – 29th April at Earl’s Court,London.