By running multiple guest operating systems, on a single hypervisor, security must be ensured. Security entails:
- Isolation between multiple operating systems. In a traditional network, one can check physical hardware and network cables. But, this is a logical network and hence settings must be carefully reviewed.
- Protection of hypervisor and other guest operating systems due to compromised guest operating system or applications
- Possibility of rootkits in Hypervisor or Hardware
- Hypervisor (or the hardware on which it is running) can become the single point of failure
- Misconfiguration of virtual networking components (virtual switch, virtual load balancer, virtual VPN, virtual firewall, etc) can enable serious threats
- With dynamically available guest operating systems, audits and especially forensic audits become a nightmare (something went wrong a day ago - what/where can we look to determine the cause - especially if that guest operating system is no longer up).
- Threat modeling and Regulatory compliance is a key requirement for many enterprises and service providers. There is no cookie-cutter model for threat modeling or compliance when dynamic resource (de) allocation is enabled.
- For an application or soft-appliance vendor, avoiding piracy and managing licenses is a significant challenge. This impacts the customer who has to maintain the licensing information and protect the assets from being stolen and reused somewhere else.
- Security patches or software updates on hypervisor may introduce unknown threats to guest operating systems and applications. There is no real model for testing this.
- Moving a virtual network with all of the guest operating systems & applications to another hypervisor may introduce unknown security risks. Known security risks include static polices may no longer be effective, guest OS may be moved to a different security domain, etc. There is a direct asset tracking & management risk - "Where is my Virtual Machine?"
- Traditional IT is managed by a few teams: Network Operations, Security, Application Development, Business Operations and so on. With everything being on a single hypervisor, ownership lines are blurred.
- Most viruses, trojans, etc are found on Windows Platform - because it is the most widely used. Similarly, it is a matter of time that popular hypervisors and deployment models will be affected.
No comments:
Post a Comment