The increasing popularity of virtualisation technologies within the enterprise has raised questions about how secure these environments are, according to a panel of expects speaking at a roundtable, hosted by security firm Check Point.
Nick Lowe, Check Point regional director, Northern Europe said that the cost-effective nature of cloud computing will encourage more companies to move their operations there, but this means attackers will almost certainly follow.
“Cloud computing and virtualisation technology will affect how we look at security,” he said. “If you introduce a new technology, the addressable attack vectors will increase. We will see attacks that are directed at virtual environments, that’s just a matter of time. The added complexity of virtualised environments is a risk.”
Virtualised environments are essentially a single entity, which increases the possibility of an attack, Lowe added. “You are bringing application services into a single entity and in doing that there is a risk that you are going to deny yourself access points where you’d traditionally secure an infrastructure. We have to look at new ways of getting in between applications when they exist on a single entity,” he said.
Simon Perry, principal analyst with Quocirca, agreed that the shift to virtualised environments had changed the security landscape. Perry identified a ‘choke point’ in the hypervisor at the centre of the virtual infrastructure as being a big security risk. “That’s the jackpot,” he said, “because if I can get to the physical machine then I can gain access to any number of virtual machines. Will we see attacks targeted at this choke point? Yes. Will some of those attacks be successful against the hypervisor? Yes.”
Flaws in the hypervisor will make it an attractive target for cyber criminals, Perry added, but the level of complexity and amount of code within it mean that it is quite difficult to attack. “The level of skill required to successfully create an attack vector that targets the hypervisor is higher than require to get into an application or network,” he said. The operating system that they hypervisor runs on and the system admin are the two main areas that will be targeted, Perry added.
The key to improving security for virtualised environments is adopting enterprise-wide best practice, rather than limiting it to the virtual environments, according to Perry. “I don’t think we should have a best practice for virtualisation, I think we ought to have one across the enterprise,” he said. “Virtualisation was not invented to make you more secure – it was invented for cost and efficiency gains – and we now seem to be chasing the security side.”
The best practice, Perry added, is to plan the security before investing in a new technology.