It is no secret virtualization technology is changing the datacenter landscape. The agility, flexibility, and overall operational benefits are myriad, and conversations about the return on investment in virtualization have, for the most part, long-since been concluded. However, as with many wide changes in computing, conversations about security implications tend to lag behind. For security professionals, increasing agility can also mean introducing new areas of concern; agility can create fragility.
Datacenter administrators have long struggled to maintain system inventory.
What systems are end-users carrying around?
Which versions of operating systems are in the datacenter?
Where is the sensitive data, and is it protected?
Answering these questions was difficult in a traditional computing environment, and has become even more difficult as bring-your-own-device, virtualization, shadow IT, and public cloud adoption have gone from being exceptions to the norm.
To appreciate the impact of this change, we first need to revisit the last fundamental change in computing; x86 computing. Roughly speaking, Microsoft popularized the Windows operating system, in part, by leveraging something called the Hardware Abstraction Layer (HAL). Basically, when writing code that runs within the operating system, the HAL decouples that code from the need to understand how to interact with the underlying hardware. It creates a predictable execution environment so code can run on any x86 system. Often, the kernel of the operating system is called a supervisor, since it handles interaction with hardware on behalf of applications.
Virtualization adds another layer between hardware and the operating system which is, intuitively enough, called the hypervisor. Just as operating systems abstracted hardware to provide predictable execution environments for applications, hypervisors abstract the hardware to give operating systems a predictable execution environment. Just as operating systems can run multiple applications on one system, hypervisors allow multiple operating systems to run on one system.
Most of the flexibility and agility with virtualization comes from that abstraction. The hypervisor treats each operating system as a group of files, usually kept in a storage system that is connected to the systems hosting the hypervisors. For example, moving an operating system instance (running or not) from one hypervisor to another becomes possible if both hypervisors can access the storage in which the files that describe and contain the instance are held.
No longer are operating systems tied to a single system. They can move, be cloned or backed-up, reset to an earlier backup, spawned from a template, or destroyed, in seconds or minutes.
As you can imagine, this has tremendous security implications. How do we keep track of where virtual machines are, what security policy applies to them, ensure someone doesn’t simply copy the files composing a sensitive server straight from storage to a USB stick and walk out the door?
Dave Shackleford, a well-respected consultant, trainer and course builder, and author, has created a whitepaper, “Evolve or Die: Security Adaptation in a Virtual World” to help organizations understand many of the security implications of virtualization. For a quick visual of highlights, check-out the infographic here.