Joshua Corman, principal strategist for IBM Internet Security Systems, does something in our new video tutorial that might get dismissed as facile word play: He parses the distinction between "securing virtualization" and "virtualizing security."
"Virtualizing security is taking legacy technologies -- network intrusion prevention systems, anti-virus, firewalls -- and ensuring that they run and are supported on these new virtual platforms," Corman explains. Porting those technologies to virtual environments is a necessary part of the equation, but it's not sufficient.
"Securing virtualization" pays special attention to the idiosyncrasies of this new platform. "In a virtual environment, I may have a network device securing several servers behind me. In virtualization, due to its fluid nature, the servers behind me may transition from one physical device to another, so the idea of static policies is no longer applicable. Securing virtualization takes advantage of these idiosyncrasies and pays attention to the new risk attack services. And this is a necessary ingredient to our overall security posture for virtualization."
What I really like about our newest video tutorial is Corman’s ability to break down this extremely complex subject and zero in on how IT security professionals need to expand their thinking around virtualization.
He points to the "live migration" feature in virtual machines (VMs) that allows systems to trade hosting of a guest image if the original host gets too busy. The problem arises over whether that supplemental host has the same security profile as the original. "A static policy we may have had to protect that image behind this particular network device is no longer applicable, as these things move freely to maximize the utilization of resources," Corman states.
He also draws attention to the virtual machine manager, or hypervisor, and what a sweet target it will be for hackers. "If I can gain control of the hypervisor, I can gain control of all the guest operating systems that run on top of it." The hacker might as well be sitting at a data center console.
In addition to learning more about the ins and outs of virtualization security, I hope you’ll take a look at the tutorial for a couple of other reasons. You can click the email link near Corman’s picture to send him questions or to settle your own virtual security issues. We’d love for you to weigh in on the poll that’s posted there, too.
Given the high profile virtualization enjoys in enterprises of all sizes these days, there’s a lot to be learned about locking it all down, no matter what words you use to define it.
This blog is part of Internet Evolution's Security Clan, which examines the future of Internet security and the changing nature of risks and vulnerabilities. Register here to join the Security Clan and for a chance at all kinds of free stuff.
WoW.This is a very critical topic.In the STRIDE security model, the first thing you worry about is spoofing.If a bad actor can spoof, all is lost.After use of a token, a biometric and a password, the 'identity’ has always been consigned to hardware.The current commercial level safety is TCA (Trusted Computing Alliance), which can be low power and mobile like on this board.
But you point out that virtualization changes the game.I will leave the discussion of the cloud to you guys.But the device side is getting virtual too.For example, any car can have a pretty interesting, ad-hoc subnet in it built from its telematics , its personal nav system, and three or four Bluetooth phones the passengers have.An SMScould come from any of them.I could even foresee a VM migrating between them.
And what about devices on public transit with WiFi hotspots? This is like a whole office with laptops, PDAs , games, and even Androids??? Oh my gosh.
Virtual stuff definitely has a lot of novel risks, all the more so because IT professionals are more atuned to managing "real" stuff that they can see. I've actually seen some of the machine-image problems arise for just the reasons that you and the tutorial suggest the can.
Thanks for your comments, Tom -- Corman teases out these kinds of issues really succinctly, and draws attention to the fact that auditors and regulators are on to the whole virtualization thing; whether the way enterprises configure and secure their VMs and hypervisors will pass muster compliance-wise remains to be seen. This stuff is sufficiently complex that I can't imagine one size will ever fit all. Corman's repeated advice is to involve these folks early and often to make sure they at least understand what you're doing and can point out potential pitfalls.
The other striking piece in the tutorial was the risk associated with suspended images that may not have been patched or somehow escape the policy management filters, depending on when or where they're re-activated. It's thought provoking and eye opening.
Securing virtual environments like cloud computing, virtual servers, and even SaaS is really critical if we're moving into those technologies, and it's also something that's not done the way that security used to be done. My experience is that most traditional access and intrusion control systems need to be respun if you start employing a lot of virtual resources, for example. Anything that creates a "soft link" between a transaction and a resource is easier to hack. Anything that lets resources migrate around across virtual platforms makes physical platform security less valuable. There's a whole list of stuff that needs to be done differently, and it's good somebody is thinking about it!
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
We hope you can tune in for an IE Radio interview today with a true industry innovator, Jeff Jonas, chief scientist at IBM. We're talking to Jonas today at 3:00 p.m. ET. Do. Not. Miss. It.
Apple Inc. (Nasdaq: AAPL)'s recent unveiling of its "magical" iPad may have fanboys counting the days until March, but if a recent poll on Internet Evolution is any indication, not everyone is buying into the hype.
We do a lot of grousing here on Internet Evolution, and usually for good reason, considering the amount of nonsense that keeps this industry afloat on its cloud of hot steamy air!!!! But... we can still happily acknowledge those titans who have succeeded in leading the way or paving new ground in their respective fields and, in turn, give credit when it is well deserved.
The Wall Street Journal reports that the National Security Agency (NSA) has been working with Google (Nasdaq: GOOG) to look into the attacks on its Chinese servers.
Smarter Collaboration: How to Thrive in a Challenging Business Environment Market conditions are changing faster than ever, and organizations need to improve their agility and adaptability in order to provide better service and improve processes. The ability to work with customers, business partners, and employees as effectively as possible - while at the same time holding down costs - is a key to success. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Data mining of social networks means people might face unforeseen consequences as a result of their seemingly innocuous personal choices and associations.
Some of the "cool" people are testing a new Web service: Blippy. It could be a great data source for corporations to glean info about customers’ credit card purchases. But it has all sorts of possible privacy and security problems. Buyer beware!
Research shows that the youth of today like Facebook – but not blogging or Twitter. Does that mean Facebook has won, or just that it's not yet out of favor? Will all the services we see today fade into Ovaltine-or-Wheaties status in just a few years?
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
