The sheer capacity of today’s virtual machines means that they can handle more critical data and perform more tasks than ever before. An increasingly core part of mission-critical IT infrastructure, virtualisation is growing as a platform for managing customer data, financial transactions, and the applications that businesses use every minute of every day. This reliance on virtualised environments has moved the issue of securing them higher up on the business agenda, with Kaspersky Lab research suggesting that for 21 percent of enterprise-level IT managers, it is one of their top three IT security priorities.[i]
Featured Download: CISO Data Breach Guide
In order for modern businesses to be successful, it is imperative that virtual environments work as planned and are secure. However, securing a virtual network is still something of a dark art, and all too often businesses apply security measures developed for physical machines, actions which can leave the business exposed to a whole slew of risks, from performance issues to security vulnerabilities.
With this growing global focus on virtualisation in mind, and in a bid to ensure businesses stay protected whilst getting the most out of their investment, we’d like to highlight a few common misconceptions about virtualisation security in an effort to guide CIOs and their IT managers towards smarter decisions about IT security policies.
Myth 1: “I don’t need additional security. The endpoint security software I use to protect my PCs, mobile devices and servers can protect my virtual environment too.”
Reality: This is a very common misperception; it is often the root cause of many challenges that IT departments face while trying to secure their virtual network. Most traditional endpoint security solutions aren’t virtual-aware. So while they may provide the same protection they deliver on physical systems, they do so at the expense of performance. (For example, they would have to download updates separately for each and every virtual machine.)
Myth 2: “It may not be perfect, but my existing anti-malware doesn’t interfere with the operations of my virtual environment.”
Reality: It does, and performance issues can create security gaps that didn’t exist before.
Traditional endpoint security uses what’s known as an agent-based model where each physical and virtual machine gets a copy of the security program’s agent, and this agent communicates with the server while performing its security tasks. This works fine for physical machines, but if you have 100 virtual machines, this means you have 100 instances of this security agent plus 100 instances of its malware signature database running on a single virtual host. This high level of duplication affects performance, wastes storage capacity and can result in a time-lag between boot-up and protection of the virtual machines.
Myth 3: “Virtual environments are inherently more secure than physical environments.”
Reality: This just isn’t true. Remember, virtualisation is designed to allow software, including malware, to behave as it normally would. In the end, malware-writers will target any and all weak points in a business network to accomplish their criminal goals. As virtual networks become hosts for more critical business operations, the bigger the target they’ll become.
Take into consideration the data held on your virtual network; it’s just the same as it was on your physical machines. Virtual machines may be gateways to a server, or the server itself may be a virtual machine. Either way, the cybercriminals want access to the data. If an attacker compromises one virtual machine, it’s possible for them to replicate their code across all virtual machines on the same physical server, further maximising their opportunity to steal important business data.
Myth 4: “Using non-persistent virtual machines is an effective way to secure my network.”
Reality: In theory, this makes sense, as any machine that encounters malware is wiped away and recreated cleanly, something that happens with virtual desktop infrastructure every day. But security firms have begun seeing malware that is designed to survive the “tear-down” of individual virtual machines by spreading across a virtual network, allowing it to return when new virtual machines are created.
If the policy allows new machines to be easily created on-demand, this can also result in “virtual machine sprawl,” where a virtual machine could be created and forgotten, creating the risk of unmaintained virtual endpoints operating outside your IT department’s knowledge or control.
Even if the rest of your virtual machines are secure, it’s possible for one virtual machine to “eavesdrop” on the traffic to another, creating a privacy and security risk. And even a ‘non-persistent’ infection can compromise sensitive information (a login or password, for example). Not to mention the fact that most virtual machines are “persistent” servers, meaning they’re not shut-down even in the event of a security threat. Recent research found that more than 65 percent of businesses worldwide will have some form of server virtualisation within the next 12 months, and these servers need to be “on” all the time for the business to function, so the “tear-down” approach to security isn’t viable in this situation.
Myth 5: “If I decide to use a specialised virtual security program, they’re all more or less the same.”
Reality: Most traditional endpoint security measures take an agent-based approach, but a virtualised environment needs flexibility to ensure total protection. In many cases this will be a blend of agent-less and light-agent security to provide advanced protection for a whole spectrum of different virtual environments, including VMware, Citrix and Microsoft. There is no one-size-fits-all solution, and the right application or combination of applications depends entirely on what you’re trying to protect. A non-web-connected server is going to have entirely different security needs to a virtual desktop or a server that manages customer information.
The agent-less model offers performance advantages by performing security tasks away from the virtual machine. This means, for example, that you only need to download anti-virus updates once, for all virtual machines. But there are limits to the ability of agent-less software to perform advanced security management and network protection tasks on virtual endpoints. A light-agent solution, on the other hand, can offer the best of both worlds over existing agent-less and agent-based security models by combining centralised control with extra security features, including application controls and web usage policy enforcement, to virtualised environments.
Specialised software and expertise is required to build and maintain a virtual network. So as virtualised environments become a standard feature of the business environment, it is critical that businesses deploy appropriate solutions that allow growth but also maintain security
By David Emm, Senior Security Researcher, Kaspersky Lab
Bio: David has been with Kaspersky Lab since 2004. In his role as Senior Technology Consultant David presented information on malware and other IT threats at exhibitions and events, and provided comment to both broadcast and print media. He also provided information on Kaspersky Lab products and technologies. He was promoted to his current position in 2008. David has a particular interest in the malware ecosystem, ID theft, and Kaspersky Lab technologies, and he conceived and developed the company’s Malware Defence Workshop.
David has worked in the anti-virus industry since 1990 in a variety of roles. Prior to joining Kaspersky Lab David worked as Systems Engineer, Product Manager and Product Marketing Manager at McAfee; and before that as Technical Support Manager and Senior Technology Consultant at Dr Solomon’s Software.
[i] B2B International IT Survey Risks Survey (March 2014)