Domain 13: Virtualization
Virtualization is one of the key underpinnings of Infrastructure as a Service (IaaS) cloud offerings and
private clouds, and it’s increasingly used in portions of the back-end of Platform as a Service (PaaS) and
SaaS providers as well. It is also used extensively with virtual desktops, which are delivered from private
or public clouds.
The benefits of virtualization are well known, including multi-tenancy, better server utilization, and data
center consolidation. Cloud providers can achieve higher density which translates to better margins, and
enterprises can use virtualization to shrink capital expenditure on server hardware as well as increase
operational efficiency.
However, virtualization brings with it all the security concerns of the operating system running as a
guest, together with new security concerns about the hypervisor layer, as well as new virtualization
specific threats, inter-VM attacks and blind spots, performance concerns arising from CPU and memory
used for security, and operational complexity from “VM sprawl” as a security inhibitor. New problems
like instant-on gaps, data comingling, the difficulty of encrypting virtual machine images, and residual
data destruction are coming into focus.
This domain covers these security issues. While there are several forms of virtualization, by far the most
common is the virtualized operating system, and this is the focus in this version of our guidance.
Overview of VM security concerns
VM Guest Hardening
Proper hardening and protection of a virtual machine instance, including firewall (inbound/outbound),
HIPS, web application protection, antivirus, file integrity monitoring, log monitoring. Can be delivered
via software in each guest or using an inline virtual machine combined with hypervisor-based APIs such
as VMware Vshield APIs.
Hypervisor Security
The hypervisor itself needs to be locked down and hardened using best practices, with a primary
concern for enterprises and virtualization users being proper management, configuration and
operations, as well as physical security of the server hosting the hypervisor.
Inter-VM attacks and blind spots
Virtualization has a large impact on network security. Virtual machines now may communicate with
each other over a hardware backplane, rather than a network. As a result, standard network security
controls are blind to this traffic and cannot perform monitoring or in-line blocking. In-line virtual
appliances help to solve this problem, as does API-level integration with hypervisors and virtualization
Copyright © 2011 Cloud Security Alliance
management frameworks. Installing a full set of security tools on each virtual machine is another
approach.
Performance concerns
Installing security software designed for physical servers onto a virtualized server can result in severe
degradation in performance, as some security tasks like antivirus scanning are CPU-intensive. The shared
environment in virtualized servers leads to resource contention. Especially with virtual desktops or high
density environments, security software needs to be virtualization-aware or it needs to perform security
functions on a single virtual machine to support other virtual machines. The difference in density can be
as much as 20 times, depending on server loading and performance.
Operational complexity from VM sprawl
The ease with which VMs can be provisioned has led to an increase in the number of requests for VMs in
typical enterprises. This creates a larger attack surface and increases the odds of a misconfiguration or
operator error opening a security hole. Policy based management and use of a virtualization
management framework is critical.
Instant on gaps
The ease with which a virtual machine can be stopped or started, combined with the speed at which
threats change, creates a situation where a virtual machine can be securely configured when it is turned
off, but by the time it is started again, threats have evolved, leaving the machine vulnerable. Best
practices include network based security and “virtual patching” that inspects traffic for known attacks
before it can get to a newly provisioned or newly started VM. It is also possible to enforce NAC (Network
Access Control)-like capabilities to isolate stale VMs until their rules and pattern files are updated and a
scan has been run.
VM encryption
Virtual machine images are vulnerable to theft or modification when they are dormant or running. The
solution to this problem is to encrypt virtual machine images at all times, but there are performance
concerns at this time. For high security or regulated environments, the performance cost is worth it.
Encryption must be combined with administrative controls and audit trails to prevent a snapshot of a
running VM from “escaping into the wild,” which would give the attacker access to the data in the VM
snapshot.
Data comingling
There is concern that different classes of data (or VMs hosting different classes of data) may be
intermixed on the same physical machine. In PCI terms, we refer to this as a mixed-mode deployment.
We recommend using a combination of VLANs, firewalls, and IDS/IPS to ensure VM isolation as a
mechanism for supporting mixed mode deployments. We also recommend using data categorization
and policy based management to prevent this. In Cloud Computing environments, the lowest common
Copyright © 2011 Cloud Security Alliance
denominator of security could potentially be shared by all tenants in the multi-tenant virtual
environment.
VM data destruction
When a VM is moved from one physical server to another, enterprises need assurances that no bits are
left behind on the disk that could be recovered by another user or when the disk is deprovisioned.
Encryption of all data is the solution to this problem, with keys stored on a policy-based keyserver away
from the virtual environment. In addition, if a VM is migrated while it is running it may be at risk itself
during the migration if encryption is not used.
Virtual machine image tampering
Pre-configured virtual appliances and machine images may be misconfigured or may have been
tampered with before you start them.
Recommendations










Strategy and Architecture Identify which types of virtualization your cloud provider uses, if any.
Consider a zoned approach, with production separate from test/dev, and highly sensitive
data/workloads in different environments than low-need content.
Consider performance when testing and installing virtual machine security tools, as performance
varies widely. Virtualization-aware server security tools are important to consider.
VM-specific security mechanisms embedded in hypervisor APIs must be utilized to provide
granular monitoring of traffic crossing VM backplanes, which will be opaque to traditional
network security controls.
. Evaluate, negotiate and refine the licensing agreements with major vendors for virtualized
environment.
Update the security policy to reflect the new coming security challenges of virtualization if not
yet.
Be aware of multi-tenancy situations with your VMs where regulatory concerns may warrant
segregation.
Validate the pedigree and integrity of any VM image or template originating from any third
party, or better yet, create your own VM instances.
Virtualized operating systems should be augmented by built-in security measures, leveraging
third party security technology to provide layered security controls and reduce dependency on
the platform provider alone.
Virtualized operating systems should include firewall (inbound/outbound), Host Intrusion
Prevension System(HIPS), web application protection, antivirus, file integrity monitoring, and log
Copyright © 2011 Cloud Security Alliance











monitoring, etc. These can be delivered via software in each guest or using an inline virtual
machine combined with hypervisor-based APIs such as VMware vShield.
Secure by default configuration must be assured by following or exceeding available industry
baselines.
Encrypt virtual machine images when not in use, if possible.
Encrypt data accessed by virtual machines using policy-based key servers that store the keys
separately from the virtual machine and the data
Consider to implement data automated discovery and labeling at organization wide to augment
the data classification and control between virtual machines and environments.
Clean any backup and failover systems when destruction/wiping the VM images
Explore the efficacy and feasibility of segregating VMs and creating security zones by type of
usage (e.g., desktop vs. server), production stage (e.g., development, production, and testing)
and sensitivity of data on separate physical hardware components such as servers, storage, etc.
Vulnerability ManagementMake sure that the security vulnerability assessment tools or services
cover the virtualization technologies used.
Remember to patch the images at rest in time
Understand which security controls are in place external to the VMs to protect administrative
interfaces (web-based, APIs, etc.) exposed to the customers.
Administrative access and control of virtualized operating systems is crucial, and should include
strong authentication integrated with enterprise identity management, as well as tamper-proof
logging and integrity monitoring tools.
Have a reporting mechanism in place that provides evidence of isolation and raises alerts if
there is a breach of isolation.
Copyright © 2011 Cloud Security Alliance
Additional Comments
Copyright © 2011 Cloud Security Alliance