How can we reduce security risks during cloud computing virtualization?

Source: Internet
Author: User
Tags mitm attack

In cloud computing, there are three basic service models: software as a service (SAAS), platform as a service (PAAs), and infrastructure as a service (IAAS ). There are also three basic deployment models: public, hybrid, and private. Virtualization is usually used in these cloud computing models and deployments to achieve its many advantages, including cost effectiveness, increased runtime, improved disaster recovery, and application isolation.


It doesn't matter who manages security when processing Virtualization in cloud deployment. Whether it is a provider or an enterprise customer, it is necessary to solve the same security problem. When selecting a service and deployment model, you must know that SAAS provides the minimum control of the environment, and IAAs provides the maximum control. Similarly, in the public cloud, cloud service providers (CSPs) must be followed, and in the private cloud, the environment is fully controlled. This is also applicable to security. users control a small part of cloud deployment, while the rest is controlled by CSP. If you cannot access the specific part of the deployment model, CSP needs to implement more appropriate security measures.

Virtualization security in cloud computing

Although virtualization brings many advantages, it also causes many security problems:

Management Program: This program runs multiple virtual machines on the same physical machine. If the Administrator program is vulnerable to attacks, attackers can use it to access the entire host, so that they can access every guest virtual machine running on the host. Because management programs are rarely updated, existing vulnerabilities may compromise the security of the entire system. If a vulnerability is discovered, the key is to patch it as soon as possible and organize potential hazards.

Resource allocation: data leakage is also a risk when the physical memory or data storage is used by a virtual machine and re-allocated to other virtual machines. Leakage usually occurs when a VM that is no longer needed is deleted and resources are released and allocated to other VMS. A new VM receives additional resources and uses forensic investigation technology to obtain images of the entire physical memory and data storage. The entire image will be used for analysis, which will disclose the important information left by the previous VM.

Virtual Machine attack: if an attacker successfully threatens a VM, it can attack other VMS on the same host over the network for a long time. This is also an increasingly popular cross-Virtual Machine attack method, mainly because the traffic between VMS cannot be checked out by the standard IDS/IPS software program.

Migration attacks: when necessary, it is easy to migrate virtual machines on most virtualization interfaces. The VM is sent to another virtual server over the network. The same VM on this server has been set. However, if the process is not well managed, the VM can send messages through unencrypted channels, which may be sniffed by tools that perform man-in-the-middle attacks (mitm) over the network.

Reduce security concerns

The following describes how to reduce the security problems mentioned above:

Management Program: it is very important for the management program to regularly check the latest available upgrades and upgrade the system accordingly. By keeping administrative programs updated, attackers can be prevented from exploiting known vulnerabilities and controlling the host system, including running all the VMS listed above.

Resource allocation: when resources are distributed from one virtual machine to another, both of them need to ensure their security. The old data exists in the physical memory and also in the data storage, and must be overwritten with zero.

Virtual Machine attack: it is necessary to distinguish between the incoming and outgoing traffic of VMS on the same physical host. In this way, we can apply Intrusion Detection and Prevention algorithms to quickly capture threats posed by attackers.

Migration attack: to prevent migration attacks, you must ensure the security of the network and prevent the threats caused by mitm penetration. In this way, even if attackers can threaten a VM, they cannot successfully execute the mitm attack. In addition, it may be useful to replace Data Transmission with security. Although some people think that it is best to destroy and recreate Virtual Machine images when migration is necessary, it is more reliable through security channels and networks.

Multiple attacks may occur in a virtualized cloud environment, but appropriate security control and procedures can be prevented during cloud deployment implementation and management. Before trying to secure the cloud environment, it is important to understand how these malicious attacks are executed. This will help to ensure that the enterprise's defense is better adapted to the most likely threats in the environment. After ensuring the environment security, check whether the security measurement is a good attempt to prevent attacks. These can be performed within an enterprise or by a defense detection company.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.