I have been very interested in virtualization security since early 2004 and it now seems like it has become a mainstream topic. Most of the focus however is on securing the technology of virtualization (the hypervisor) and providing virtualized security (usually as virtual appliances). My focus nowadays is more on the operational impact of virtualized infrastructure and by extension the impact on security operations. After all, security controls (technology) are essential but without operational controls (people) they are not sufficient. So what is the operational impact of virtualization?
Virtualization technology is being applied across multiple IT silos: servers, applications, storage and networks. In every one of these domains, virtualization hides the physical infrastructure behind an abstraction layer and provides encapsulation of logical instances. When you're looking for the root cause of a fault or a security alert you need to lift the veil and see behind the virtualization layer. This sounds a lot easier than it is in practice.
On top of the abstraction layer, virtual infrastructures are often very dynamic. Live migration technology (such as VMotion or XenMotion) allows virtual machines to move from host to host in near-real-time. On top of live migration there are other layered features like dynamic resource pools and high availability clusters. Together, these create an environment where virtual machines may move automatically to rebalance a load, reduce power consumption or in reaction to a hardware failure. Similar dynamic moves may be occurring in a virtual storage environment and (storage re-allocation) and in the network (load balancing, virtual LAN allocation). In a large virtual server pool this could create an almost constantly changing environment.
Furthermore, security operations must deal with an environment where servers come into existence and are decommissioned at an accelerated rate. Sine virtualization allows admins to virtually build, rack, run and decommission a server in a matter of minutes, the life cycle of a server becomes shorter. Servers evolve from being enduring and tangible to fleeting and ethereal. How do you troubleshoot or forensically analyze a server that only existed for a day? Where do you find its logs, its configuration?
Security operations in a virtual environment involve:
- Piercing the veil (correlating events above the abstraction layer with events below).
- Synchronizing timestamps globally.
- Collecting logs and configuration changes centrally.
- Tracking virtual machine identities independently of IP address.
- Tracking virtual machine life cycle and genealogy.
- Maintaining libraries of patched and hardened virtual machine images.
We have technology to deal with most of these problems and doubtless we will see startups emerge to address problems that are new and unique to this environment. Many of the challenges are only noticeable once virtualization technology has been adopted in production and deployed broadly in a data center. They surely should be discussed at the early planning stages instead. The old management mantra is "you can't manage what you don't measure". The mantra for security operations in a virtual environment is "you can't secure it if you can't even find it."
