Tuesday, September 16, 2008

Security and Virtual Machines

A lot of rumors are circling around that Virtual Machines (VM) could pose another threat to IT-Systems which use hypervisor-technologies extensively these days. Unfortunately, concrete facts on implementation issues are not available. This discussion is probably a little bit misleading. From the security perspective, Virtual Machines are an approach to realize Access Control on an Operating System level. This comes along with data isolation. Sandboxing is another option but on a higher layer in the application stack. Sure, security is not the main objective when applying solutions based on Virtual Machines. But these objectives, like flexibility and mobility, are topics we should take in account when talking about security in the scope of Virtual Machines. Why is that? Traditional security mechanisms were developed to protect non-virtualized systems (or real hardware in a broader sense). But Virtual Machines (better: systems based on it) behave different. They are mobile and highly dynamic (people do copy, move, switch on, switch off, change ownership), and follow different life-cycle patterns. This is not good news for firewalls, existing policies, access control within the scope of the VM, as well as for forensic analysis. Beside the technical issues, processes are not ready to face these challenges in many cases. Security folks and administrators should be aware of this and must update their instruments (tools, policies).
Other areas of security are affected as well. Cryptography is just one example. I’m gonna cover this fascinating topic in my upcoming posts. And, virtualization has started to exist in the clouds. How is security performing high above us in totally virtualized solutions? Mmmh.

No comments: