Much has been written down about whether or not virtualization makes an IT organization more or less secure — often with lots of emotion, and sometimes with good logical rigor. One of the best analyses I’ve read is by Neil MacDonald (Gartner, Inc. “Security Considerations and Best Practices for Securing Virtual Machines” March 2007). Hopefully I’ve added some additional meaningful contribution on how to translate theory into practice with the whitepaper I wrote called “Gene Kim’s Practical Steps To Mitigate Virtualization Security Risks” that is based on the 10 year study of high performing IT operations and security organizations.
While writing that whitepaper, I found that one of the most precise ways to explain why virtualization creates unique security challenges is through a concept that financial and operations auditors (and sometimes IT auditors) use in their scoping work called “reliance.” Reliance refers to the property that a control has when the achievement of an objective hinges on that control operating as designed to detect or prevent errors.
For instance, for SOX-404, accurate financial reports for the accounts payable process may have reliance on the automated three-way match control in the ERP system. This control ensures that only invoices with valid purchase orders and packing slips are paid. If that control is disabled, then we can no longer trust the results of the accounts payable system (which is the beginning of a very a bad day).
From an information security perspective, there are all sorts of physical and process controls that we may have unintended reliance on that are significantly diminished when the computing environment gets virtualized. Here are some examples of how these controls might help us in the physical world:
Observable servers in pre-deployment:
As in… “Hey, what are these 6 foot pile of servers doing here in the hallway? We don’t have any approved capital projects schedule for rollout for 8 more months, and I’m not aware of any software releases being pushed out.
“In fact, I’d better find out who ordered these servers, so I can find out what they’re working on. Maybe we can help them make sure it’s secure, or maybe someone needs to know about a completely unauthorized project that may introduce risks to the organization that’s above their authority to make.”
Virtualization can completely obviate the need for IT to unbox servers, instead using the VM cloning and creation capabilities. That means you may not notice the servers being deployed, since they’re not stacked in the hall any more.
Network cabling and VLAN partitioning: High performing IT organizations often have a set of rituals similar to ICBM missile launches (e.g., multiple keys, rehearsed ceremonies of authorization necessary to launch) around release activities, specifically around racking and cabling. Virtualization can transform these elaborate physical rituals into copy and paste operations, with perhaps a few changes to the VMM network settings.
No rituals and no supervision or authorization means less control.
Physical data center access: One of the most prevalent forms of preventive controls is controlling who has a cardkey to the data center, to ensure that no one can enter the data center, let alone carry in new servers and cable them into the DMZ.
Virtualization reduces the need for physical movement and manipulation of equipment in release and change deployment activities, and degrades the information security practitioner’s ability to see and react to the activities that could introduce risk to the organization. If information security practitioners are not aware of the virtualization technologies being used in the organization, and do not put process controls around access, configuration and change, it is nearly equivalent to abandoning all these controls in the physical environment.
All of these activities require planning and approvals, which give information security practitioners more time to see large-scale release and change activities. By watching these processes, information security gains situational awareness, so they can allocate resources to prevent issues that could cause security issues or organizational risk, or at least detect when those process controls have been circumvented.
What information security must do
If virtualization degrades controls that information security has unintended reliance upon, we must compensate by increasing the reliability of process controls, such as access, configuration and change. Information security must ensure that these controls exist and are operating effectively, and furthermore, that they can be substantiated. In other words, show that all configurations and changes are authorized and trusted, and that they were done by staff with authorized access.
Otherwise, information security is asleep at the wheel, and letting activities be left unmanaged and uncontrolled, which is how information security becomes irrelevant, out of touch, and definitely not influencing the quality of work done by IT. And that doesn’t require virtualization!