Monday, January 25, 2010

Security in a multi-tenant hypervisor (virtualization) platform

By definition, a hypervisor is a layer that sits between a guest operating system and the hardware or a native operating system.  By using a operating system, multiple applications can be run simultaneously.  By using a hypervisor, multiple guest operating systems can be run simultaneously on the same hardware.

By running multiple guest operating systems, on a single hypervisor, security must be ensured.  Security entails:
  1. Isolation between multiple operating systems.  In a traditional network, one can check physical hardware and network cables.  But, this is a logical network and hence  settings must be carefully reviewed.
  2. Protection of hypervisor and other guest operating systems due to compromised guest operating system or applications
  3. Possibility of rootkits in Hypervisor or Hardware
  4. Hypervisor (or the hardware on which it is running) can become the single point of failure
  5. Misconfiguration of virtual networking components (virtual switch, virtual load balancer, virtual VPN, virtual firewall, etc) can enable serious threats
  6. With dynamically available guest operating systems, audits and especially forensic audits become a nightmare (something went wrong a day ago - what/where can we look to determine the cause - especially if that guest operating system is no longer up).
  7. Threat modeling and Regulatory compliance is a key requirement for many enterprises and service providers.  There is no cookie-cutter model for threat modeling or compliance when dynamic resource (de) allocation is enabled.
  8. For an application or soft-appliance vendor, avoiding piracy and managing licenses is a significant challenge.  This impacts the customer who has to maintain the licensing information and protect the assets from being stolen and reused somewhere else.
  9. Security patches or software updates on hypervisor may introduce unknown threats to guest operating systems and applications.  There is no real model for testing this.
  10. Moving a virtual network with all of the guest operating systems & applications to another hypervisor may introduce unknown security risks. Known security risks include static polices may no longer be effective, guest OS may be moved to a different security domain, etc. There is a direct asset tracking & management risk - "Where is my Virtual Machine?"
  11. Traditional IT is managed by a few teams: Network Operations, Security, Application Development, Business Operations and so on.  With everything being on  a single hypervisor, ownership lines are blurred.
  12. Most viruses, trojans, etc are found on Windows Platform - because it is the most widely used.  Similarly, it is a matter of time that popular hypervisors and deployment models will be affected.
Security can be rephrased as "Risk Management".  While the above threats are real, one has to carefully look at the deployment model and build a playbook (people, process, technology) for rules of deployment.  That is the only way we can benefit from this new technology.

    No comments:

    Post a Comment