How should the security risks of virtualized systems be reduced?

"Http://www.aliyun.com/zixun/aggregation/13883.html" > Virtualization technology is not inherently unsafe. However, most virtualized workloads are not deployed in a secure manner. "Gartner analyst Neil MacDonald earlier this year in a report called" Coping with the most common security risk in a virtualization project for data centers. "

Planning for virtualization projects should always involve the information security team, but according to Gartner's survey data, 40% of virtualization projects have been hastily launched without the security team participating in the initial architecture and planning phases.

MacDonald points out that because virtual machine management programs govern all workloads running on physical servers, a threat "can cause all workloads that are handled above to be compromised." "In a traditional architecture, a server that is compromised only poses a risk to the workload on that server, which is not the case in virtualized data centers."

The hypervisor itself also increases the hit surface (attack surface). VMware, for example, is revamping its virtualization architecture to get rid of the Linux based Service console to reduce the attack surface from about 2GB to 100MB.

While this improves security, customers still need to be focused on security. Gartner recommends that users view the virtualization platform as "the most important it platform in your data center" from a security and management perspective.

Gartner believes that the IT department needs to develop a strategy for consolidating workloads at different trust levels and, when evaluating new security and management tools, "should prefer tools that encompass the physical and virtual environments and use the unified management, policy, and reporting framework." ”

The report also notes that the IT department must focus on the security vulnerabilities of any code installed at the hypervisor layer, including drivers, plug-ins, and third-party tools, and make sure everything is up to date and patched.

Even if the virtualization layer is as secure as the previous physical architecture, users tend to configure more virtual machines, which means that you have more coverage, and "Once your coverage expands, the security risks that you face increase." ”

Turner is focusing on several systems management tools, such as Cfengine, Puppet Labs, and chef, to automate the process of verifying patches, deleting expired user accounts, and ensuring that the configuration files are not tampered with.

After the server is virtualized, even relatively simple tasks such as running anti-virus software can become more complex. Harper pointed out that his employees had to manually modify the time of the weekly scan of Windows Server instances, because if they did not, the scans would execute at the same time, causing the input/output load to be too large.

Harper says customers need to combine new products and processes to prevent virtualization from causing trouble because managing virtual machines as a physical bare-metal is not going to work.

But Jim Brewster, senior IT expert at Harper and Sabre, is optimistic about the security of the virtual world. Physical isolation of the security zone is giving way to a software-based security zone, Brewster says, and with virtualization management tools, it is difficult for unscrupulous IT administrators to tamper with their operations without being logged.

Microsoft and VMware are arguing over how many processes should remain in the operating system and how many processes should be pushed to the hypervisor layer. But Brewster is looking forward to the security features entering the hypervisor.

Brewster said: "I think that you can more clearly understand, more effective control of the situation, find out who in the virtual machine who is in contact with the situation." ”