I received an email the other day from Wayne, Pa.-based SunGard Availability Services outlining some “essential” steps for addressing virtualization security challenges. In their email, the company urges users take certain measures, including installing security software, to make sure their virtual machines (VM) are safe from security threats.
There are many virtualization security products on the market today, yet reports of major VM security breaches are nil. In fact, the largest virtualization vendor, VMware Inc., asserts that its software is completely secure – possibly more secure than physical machines.
And even though the majority of VM security breaches I’ve heard about were hypothetical, performed by scientists through demonstrations or at hacker conventions, not in real data centers, I still receive a steady flow of press releases and product announcements addressing VM security issues.
So now, when I see security vendors warning users about un-named threats they need to prepare for, I am reminded of the U.S. Homeland Security Threat Level warning system.
Unfortunately, there are no published criteria for the threat levels of the Homeland Security system, so there is no way to tell whether the current threat level is accurate. And by the way, the threat levels have never been green or blue.
Because of this, the system can be manipulated by government officials. For example, during the Presidential election of 2004 when Republican President George W. Bush was running against Senator John Kerry, the Homeland Security Threat Level was bumped up, prompting some academics to speculate this was done by the Bush administration to scare voters into re-electing him. If so (and we will never know), it worked.
Unfortunately, decisions based on fear are usually not well thought out.
But I haven’t heard of any 9-11-style attacks on virtual infrastructures, and the virtualization users I speak with aren’t convinced they have anything to worry about. The thing that gets people to buy into virtualization security software is that haunting “what if” question that makes everyone default to the”better safe than sorry” mantra. After all, there is no harm in taking proactive steps to protect against the unknowns - just in case.
For instance, according to this article on the security benefits and risks of virtualization, “the [virtualization] drawback is based on fear of threats that aren’t around today but could become serious problems in the future.” Natalie Lambert, a security analyst with Cambridge, Mass.-based Forrester Research, continues in the article:
“One big concern is about what could happen if a flaw were found in a hypervisor, which would give attackers access to thousands of desktops sitting on a virtual server…That’s not a reality today, but it’s certainly a fear for the future.”
And as Sunguard said in its email, “With many organizations focusing on virtualization benefits, they must also examine core risks before it is too late – meaning security needs to be built in from the start.”
It is why we buy life insurance and car insurance and fire insurance for our homes. (Those damn what ifs and their expensive safeguards).
So, for the paranoid among us, check out SunGard’s suggestions for securing your virtual infrastructure here. As they say, better safe than sorry, right?