Virtualization Poses Security Risks in Public Cloud
Companies moving applications to a public cloud need to be aware of the risks created by using virtual machines in a shared cloud infrastructure.
If you're considering moving applications and data to the public cloud, one of the first things you'll need to think about is security.
There's certainly a good case to be made that a cloud service provider with a specialist security team will do a good job in terms of network security. And in terms of physical security, a cloud hosting facility will probably have the resources and expertise to do a job as good or better than most enterprise can do themselves.
But there's no doubt that moving to the cloud introduces new risks, some of which stem from the way cloud services are managed.
For example, one of the greatest risks to security for any organization is the insider threat: a disgruntled employee or ex-employee who steals or destroys data, or a staff member who is coerced or persuaded by a third party to use his access privileges to help compromise your systems. When a cloud service provider is added to the equation, the insider risk is expanded for two reasons.
First, there will likely be new administrators and people with privileged access to your applications and data, simply because a cloud service provider is involved. But it's also true that a single person working at a cloud provider has the potential to compromise far more machines than a person working at a single enterprise. For that reason alone, such people are more attractive targets to anyone planning to carry out coercion or provide payments for access.
There are also data security risks associated with the way cloud service providers provide redundancy. How do you know, for example, that when you delete data stored in the cloud that every fragment of that data -- that may have been backed up to storage in geographically separate data centers -- has also been deleted?
That being the case, it's important to ensure that your cloud service provider can offer good answers to the following questions:
- Where will my data be stored?
- What controls do you have in place to ensure that my sensitive business data is not leaving the virtual walls of your business?\
- What are the borders of responsibility?
Virtualization-specific Cloud Security Risks
If you're planning on moving applications running on physical servers in your data center to a public cloud environment, it's important to be aware of the fact that there will be additional risks. These stem from the fact that your servers in the cloud will be hosted on virtual machines in a shared computing infrastructure. The risks tend to be downplayed by many cloud hosting companies, but they are very real nonetheless.
One of these stems from the fact that most cloud environments are built on one of a very small number of hypervisors - VMware's ESX, Xen and so on. These provide tempting targets for hackers, because if a vulnerability in one of these hypervisors is discovered, the potential rewards are far higher than if a vulnerability is discovered in any specific Web server or other application.
In purely technical terms, it's also likely that your virtualized cloud workloads are more at risk because:
- All the cloud workloads have the potential to be compromised by a single compromise of the virtualization layer.
- Virtualized workloads which have different trust levels may be consolidated onto a single physical host without sufficient separation.
- Some cloud providers lack adequate controls for administrative access to the hypervisor/virtual machine monitor layer and to administrative tools.
In terms of actual threats to a cloud environment, these fall into a number of categories - centered on the hypervisor - such as:
- Hyperjacking - This involves subverting the existing hypervisor or inserting a rogue hypervisor. Since hypervisors run at the most privileged ring level on a processor, this would be hard or even impossible for any operating system running on the hypervisor to detect. In theory, a hacker with control of the hypervisor could control any virtual machine running on the physical server.
- VM Escape - As the name suggests, an exploit that enables VM Escape allows a hacker who compromises a specific virtual server to escalate his attack from the virtual server to take control of the underlying hypervisor.
- VM Hopping - Similar to VM Escape, VM Hopping allows an attack to move from one virtual server to compromise other virtual servers on the same physical hardware.
- VM Theft - This is the ability to steal a virtual machine file electronically, which can then be mounted and run elsewhere. The attack is the equivalent of stealing a complete physical server, without having to enter a secure data center and remove a piece of computing equipment.
Monitoring and Security Policies
The implications of this are that the hypervisors are effectively the crown jewels that need to be protected from outside and insider threats at all costs.
In cloud environments it's also important to be able to deliver apps whenever they are needed, by spinning up virtual machines and putting them on the most suitable host. The challenge when applications with different trust levels are running on the same physical host is how to get some measure of visibility into the cloud environment so that inter-virtual machine traffic can be closely monitored.
This is not as easy as monitoring the traffic between physical machines, as the data never actually "hits the wire." Possible approaches included diverting all inter-virtual machine traffic though an IPS, running a virtual redirector on each virtual machine configured with a policy on what traffic should be redirected to a physical IOS for inspection or, most likely, implementing virtual IPS and firewalls on each physical host. One further challenge is ensuring that the security policies that you put in place for each virtual machine are able to move with the virtual machine as they are moved around the cloud infrastructure - either manually, or as part of an automated orchestration process.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.
January 31, 2013
How secure is your PCI-compliant deployment?