The Virtualization Room

Nov 13 2008   10:52AM GMT

Virtual machine security threat levels; don’t believe the hype

Bridget Botelho Bridget Botelho Profile: Bridget Botelho

I received an email the other day from Wayne, Pa.-based SunGard Availability Services outlining some “essential” steps for addressing virtualization security challenges. In their email, the company urges users take certain measures, including installing security software, to make sure their virtual machines (VM) are safe from security threats.

There are many virtualization security products on the market today, yet reports of major VM security breaches are nil. In fact, the largest virtualization vendor, VMware Inc., asserts that its software is completely secure – possibly more secure than physical machines.

And even though the majority of VM security breaches I’ve heard about were hypothetical, performed by scientists through demonstrations or at hacker conventions, not in real data centers, I still receive a steady flow of press releases and product announcements addressing VM security issues.

So now, when I see security vendors warning users about un-named threats they need to prepare for, I am reminded of the U.S. Homeland Security Threat Level warning system. TSA graphic of the Homeland Security Threat Level System.

Unfortunately, there are no published criteria for the threat levels of the Homeland Security system, so there is no way to tell whether the current threat level is accurate. And by the way, the threat levels have never been green or blue.

Because of this, the system can be manipulated by government officials. For example, during the Presidential election of 2004 when Republican President George W. Bush was running against Senator John Kerry, the Homeland Security Threat Level was bumped up, prompting some academics to speculate this was done by the Bush administration to scare voters into re-electing him. If so (and we will never know), it worked.

Unfortunately, decisions based on fear are usually not well thought out.

But I haven’t heard of any 9-11-style attacks on virtual infrastructures, and the virtualization users I speak with aren’t convinced they have anything to worry about. The thing that gets people to buy into virtualization security software is that haunting “what if” question that makes everyone default to the”better safe than sorry” mantra. After all, there is no harm in taking proactive steps to protect against the unknowns - just in case.

For instance, according to this article on the security benefits and risks of virtualization, “the [virtualization] drawback is based on fear of threats that aren’t around today but could become serious problems in the future.” Natalie Lambert, a security analyst with Cambridge, Mass.-based Forrester Research, continues in the article:

“One big concern is about what could happen if a flaw were found in a hypervisor, which would give attackers access to thousands of desktops sitting on a virtual server…That’s not a reality today, but it’s certainly a fear for the future.”

And as Sunguard said in its email, “With many organizations focusing on virtualization benefits, they must also examine core risks before it is too late – meaning security needs to be built in from the start.”

It is why we buy life insurance and car insurance and fire insurance for our homes. (Those damn what ifs and their expensive safeguards).

So, for the paranoid among us, check out SunGard’s suggestions for securing your virtual infrastructure here. As they say, better safe than sorry, right?

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: