Paul Bonner, Group Head of Technology at HardwareSolutions, looks at how the increasing popularity of virtualisation means that standard security policies may no longer be effective.
There is little doubt that the cloud and virtualisation is playing a big part in all our futures. Despite the odd horror story, virtualisation is ever-present in nearly every area of commercial life.
But, like all white knuckle rides, there is a time when we have to come back down to earth and face up to the implications. It’s a time to realise that our old-world view of security is not best suited to the world we now inhabit.
Companies have been attracted to such services for a range of very good reasons. They make it easier to provision, move and decommission servers, and simpler to set up new networks. Virtualisation and the cloud can save you time, money, and space – they are even more eco-friendly.
However, companies do not always redraw their security policies to better reflect the new risks posed by the combination of cloud and virtualised environments.
Should you really be concerned?
In the past decade, the key change in most cybercrime is the motivation behind attacks. Where once the impetus behind cyber-attacks was a hacker’s cyber-credibility, today the key driver is monetary gain. More is at stake for cybercriminals today. And thus they will try much harder to access and steal your valuable data.
Cybercrime no longer just threatens well-known, ‘big name’ enterprises either. In addition to the high-profile attacks on the likes of LinkedIn, Wells Fargo and Target that have been making headlines around the world in recent years, Verizon’s 2012 Data Breach Investigations Study produced some surprising results. Of the 855 data breaches they examined, 71% had occurred in businesses with fewer than 100 employees. Even being ‘small’ does not make you invisible to an opportunistic cybercriminal’s eye. It seems that no company is safe anymore.
Yet with the move to the cloud and other forms of virtualisation, the data that makes your company so attractive to nefarious attackers has moved. From servers to behind the walls of cloud providers. And in response, cybercriminals are changing their tactics.
So where do these risks lie?
One of the key concerns for your data centre security strategy is coping with an increased attack surface due to vulnerabilities in virtualised environments.
While many providers can demonstrate high levels of physical security, there are many more weaknesses evident within a virtualised environment – whether in-house or in a provider’s location. A key area of weakness is in server virtualisation.
When multiple computers are run on one physical platform, you introduce a range of new multi-tenant security issues, such as data-remnant risks, whereby one virtual machine (VM) is able to access any data left in memory by another.
Virtual networks also allow for the problem of network blindspots. Traditional network security appliances are blind to any communications between virtual machines within a single host. VM’s can communicate with each other without a physical network. This opens up a loophole for all sorts of security attacks, one example being inter-virtual machine attacks. A hacker only needs to compromise one VM, and can then leverage that machine to attack all the other VMs aligned to the same host.
Worse yet, the hacker can also use a compromised VM to launch an attack on the Hypervisor itself. This technique is known as hyperjacking.
Securing your hypervisor
The hypervisor is the piece of complex software that creates and runs your virtual machines. It is also a high-privileged system, so any vulnerability can have serious consequences. Essentially, the hypervisor has the potential to be a single point of failure. However, the hypervisor runs ‘underneath’ the operating system (OS). This means that regular security measures are ineffective, as the OS will not be ‘aware’ the machine has been compromised.
This is the case with hyperjacking. An attacker takes control of the hypervisor by installing a rogue hypervisor that can take control of the server. Hyperjacking not only allows an attacker to compromise the server and steal data, but the ability to come back again and again to steal more. This is what makes hyperjacking so especially insidious.
However, there is a relatively simple solution. Introduce a virtual gateway software within the Hypervisor kernel itself, so that you can monitor and control activity between VMs and from VMs to the Hypervisor.
What else can be done to secure a virtualised environment?
What needs to be done to measure and mitigate risk in such environments? The best approach is one that focuses on your data.
What kind of data is being sent to the cloud? Can it be classified according to its importance? Can it be located easily? Does is need to be encrypted? Can it be inspected at regular intervals to ensure it hasn’t been tampered with? Would you know if it had been copied? Can key data be allocated to dedicated servers?
When the security policy categorises data according to the risk of loss, it becomes possible to start to put a strategy in place that ensures that risks are minimised. While at the same time flagging for all to see that some data – such as credit card and customer information – must be given the utmost consideration to mitigate against considerable reputational risk.
A lot of attention by service providers has gone into physical security. Many run their data centres as if they were guarding the Crown Jewels or were Fort Knox. This is to be welcomed. But it does not do anything to reduce the growing influence of criminal gangs operating with near impunity in the online world.
Such gangs have a natural interest in cloud services because of the rich pickings held within their virtual walls. So a security policy needs to be one step ahead of such miscreants. It needs to predict their possible approaches. And be flexible enough to be able to review and change its policy at any time.
Review, and review again, who has access to your data
But aside from illegal activity there will be many people that have access to your data for legitimate reasons. Each authorised person is a risk that needs to be assessed and reviewed. They range from those employed by the service provider to those within your own business.
The status and responsibility of any of these people can change at any time. Therefore authority of access is something that needs to be carefully considered and – this is key – reviewed regularly. For example a person may need access to certain data for a set project of work. But this must be denied when this work is over. Such access control is notoriously difficult to police in large, complex organisations which are subject to constant moves and changes.
Companies need to realise that using the Cloud does not get you off the hook. You are still responsible for the security of your data. Be vigilant, and be more demanding of the provider. If he can’t locate your most important data easily, go somewhere else. You need a better provider, and so does your data.