First Gartner published a report in April arguing that virtualization– which the company had called a “mega trend” earlier– presents security risks. Now a more recent article in DarkReading suggests that it is not just Gartner consultants who share that opinion. In Security Fears Slow Virtualization, the website reports that about 50% of IT professionals who are either using VT today or considering adoption in the next 18 months believe it introduces new security challenges.
Among the respondents to the emedia survey, the chief security concerns were about virtualization patching and updates (32 percent), guest-to-guest attacks (27 percent), and the addition of new host software (22 percent).
This echoes the risk pointed out by the Gartner, which included the observations that network based intrusion detection/prevention systems do not have visibility into intra-VM traffic. (That limitation only applies when the VMs are on the same physical host.) Even stranger according to DarkReading, is the finding that the later an IT shop is considering implementation, the greater their security concerns. This could be interpreted in two ways. Either there is insufficient information and the more people learn about VT– inevitably at the 11th hour when the project is going live– they become more comfortable. The second interpretation is a selection bias: the system administrator concerned about a technology is not going to deploy it anytime soon, so the answers are consistent with prioritization.
But backtracking for a minute, these articles seem to miss the bigger picture, namely that properly used, virtualization can be an important weapon for improved security. It provides compartmentalization between different components of a system running on the same hardware and does so with assurance greater than any other mechanism, including operating systems or constrained programming environments such as Java. For example, using a virtual machine to experiment with malware is standard practice among researchers. Many trees were killed over academic papers suggesting various designs that employ VMs to confine untrusted applications. Similarly, the paper When Virtual Is Harder Than Real pre-dated Gartner’s critique, pointing out the security challenges for virtualization in a much broader context than enterprise hardware consolidation. For example the authors noted that when VMs are used for mobility, integrity of the image becomes crucial because infection of a machine image is equivalent to a virus infecting a binary. Bottom line is that few of these concerns are new. Virtualization can be (and has been) leveraged in ways that increase security assurance. Equally likely is a configuration that aggravates one or more existing problems such as patch management that get an added dimension in the context of VT.