Tall fences make good neighbors. That goes for life in suburbia and, apparently, on the inside of computers.
The profile of virtualization is growing and, with it, the importance of virtualized security. It makes sense that this would be a big issue. It is impossible to get something for nothing: Virtualization squeezes multiple operating systems onto a single physical machine. That saves space and overhead -- good things, certainly -- but also creates the possibility of a problem impacting a greater proportion of what the company is doing.
This week, VMware patched a critical vulnerability found by Core Security. The problem, according to this SC Security report, appears to be a big one: In a properly working machine, resident virtualized systems (guests) can transfer data to non-virtualized host systems. In scenarios using shared folders, the vulnerability enables hackers to move from being a guest to taking full control of the host machine. The versions of VMware impacted are Workstation 6.0.2 and earlier; VMware Workstation 5.5.4 and earlier; VMware Player 2.0.2 and earlier; VMware Player 1.0.4 and earlier; VMware ACE 2.0.2 and earlier and VMware ACE 1.0.2 and earlier.
This eCommerce Times piece on virtualized security is part of a series on all aspects of virtualization. It starts with the interesting observation that people are not even sure if virtualization is more or less secure than other forms of computing. A clear upside is that hackers cannot be as sure of the structure of the virtualized environment as they can of traditional environments. Well placed traps can thwart exploits.
The group that says virtualization is less secure point to vulnerabilities to the hypervisor, the software that manages operations. They say that it acts as magnets for the bad guys. The piece concludes by suggesting that virtual security costs far less than traditional security.
This Network World piece starts by suggesting that few companies are paying attention to security concerns as virtualization quickly proliferates. The writer says that the nature of virtualization means legacy security approaches are inadequate. The point is that software can be freed from the confines of a single operating system, but it won't go anywhere -- safely, at least -- without security software that can go with it. The piece then describes VMware's VMsafe as the first virtualized security process that uses an application programming interface (API) to deeply interact with the hypervisor.
VMsafe is getting some traction. Late last month, VMware and McAfee announced a broad virtualization agreement. The companies announced that McAfee would embed VMsafe technology into its products and that it has signed an original equipment manufacturer (OEM) agreement to use the technology in its ESX Server. The release also said that McAfee has unveiled a beta of an e-mail and Web security virtual appliance designed to run on VMware. Finally, McAfee said that it has started a virtual infrastructure security assessment service.
There are a lot of angles to the virtualization issue. Nemertes Research looked at virtualized security in the context of a broad data center environment. There are four stages to deployment, the report says: testing and development; basic services; production pools; and complete virtualization. The study describes these and looks at hybrid environments and dynamic environments. The report discusses how to assess virtualization risk and concludes that more investment is necessary to help this form of security mature.