Virtual Machines May Pose New Threats

By Jodi Mardesich

Organizations have recently started to embrace software virtualization, which can allow one server to run multiple operating systems and applications. These "virtual computers" potentially allow mid-size organizations to act like larger organizations. At the same time, organizations can economize by not needing as many servers to run complex applications, such as mirror sites for disaster preparedness.

But, already, as virtualization becomes a powerful tool, there are potential security threats coming to light. Virtual machines could allow additional points of entry into a system, and while experts say the benefits outweigh the drawbacks, CIOs must create new security policies to keep virtual machines from compromising an organization's security.

Virtual machine software, also called a "hypervisor," essentially runs in two ways: either directly on a hardware platform, or within an operating system environment. In either case, it is a software layer that creates the illusion of multiple machines, which in effect allows IT departments to run multiple instances of an application, or different applications that sometimes use different operating systems on the same physical hardware.

Benefits of virtual machines
The creation of these virtual machines allows organizations to cut costs. For instance, a mirror of a production server can be run as a backup in case of disaster, reducing the number of servers needed, as well as the cost of the power to operate multiple servers. Virtual machines also can be used to simplify patch management and software distribution, analysts say.

Virtual machine adoption is quickly catching on: Forrester reports that 2006 was the first year that a majority of North American firms reported either using or piloting virtualization. In a survey of server decision makers, more than 40% were using server virtualization, and one-third said they were either piloting or interested in server virtualization.

Virtual machine software is a third-party application, but some analysts expect Microsoft to eventually add hypervisor functionality to server and client versions of Windows, which would make it even more common.

As IT managers move into virtualization, they are starting to realize that it comes with potential threats and risks. Virtual machines can be saved, manipulated, and copied with the same ease as a file. Also, virtual machines appear and disappear rapidly, changing the state of the network. With the rise in virtual servers, more CIOs are becoming concerned about potential security risks and want to limit use until they feel more comfortable with them and understand how they work.

Potential risks in virtualization
"Virtual machines are not inherently secure or insecure -- they are just a tool for structuring systems," says Tal Garfinkel, virtualization consultant and Ph.D. candidate at Stanford University.

A fundamental security problem with virtual machines is that they can appear and disappear and reappear rapidly. Security tools assume a steady state, that time always moves forward, but virtual machines allow the state of the network to move backward and forward in time.

"Rolling back a machine can re-expose patched vulnerabilities, reactivate vulnerable services, re-enable previously disabled accounts or passwords, use previously retired encryption keys, and change firewalls to expose vulnerabilities," Garfinkel says.

Forrester analyst Jennifer Albornoz Mulligan has identified risks of using virtual machines, including "brittleness," data leakage and lack of monitoring/management tools.

• Brittleness "If all of your virtual machines are identical, and someone can break into one, they can break them all," Mulligan says. So in return for easy management they are trading security homogeneity.
• Data leakage Data is often stored in virtual images, and these images are easy to move and copy along with your data. "It is another possible way for data to inappropriately leave your organization," Mulligan says. "If data is centralized, this risk can be reduced."
• Lack of monitoring tools Tools to monitor and manage virtual machines are not mature compared to traditional tools. "Some virtual images may not be patched or controlled properly if they are not visible to the management tools," Mulligan says. As such, the machine may no longer be in compliance with corporate policies.

Despite these drawbacks, Mulligan believes the net benefits of server virtualization outweigh its security drawbacks. "Embrace it, especially for testing security patches," she says.

Garfinkel says that virtual machines can actually be used to increase security.  "They provide a lot of functionality that can allow you to more easily secure systems," he says. 

For example, systems can easily be brought into a clean state if there is a suspicion that they have been compromised. Services can be isolated from one another to prevent a compromise in one from spreading to another. "For example, suppose you have a server running a mail server and a web server," Garfinkel says. "If you run those in two separate VMs, a compromise in one will not affect the other."

Garfinkel believes virtualization technology will open the door for advances in security that leverage some of its properties, from better intrusion detection to new solutions for backup, forensics and disaster recovery.

"Virtualization is clearly the right thing to do, the issue is how to do it right," he says.

Jodi Mardesich writes about business and technology. Her writing has appeared in The New York Times, Fortune, San Jose Mercury News, Salon and Slate.