VM Security Challenges and Improvements

Virtualization is a double edged weapon. If it provides remarkable benefits, it could also create challenges for the users as far as data security is concerned.

While File Sharing

During uploading and downloading data and file sharing any guest machine with malicious malware could compromise security of VM. The Data Breach resulted during file sharing process requires attention of administrators to protect with deployment of firewalls.

By introduction of virtual switch the data breach could be controlled. It is the software which isolates virtual machines and controls communication between virtual machines.

The next option for data protection is “encryption of virtual hard disk”. Complete hard disk encryption protects all the data on a hard disk. Whenever anybody tries to copy the hard disk of a virtual machine the copied or stolen data wouldn’t be readable. Hypervisor and VMware have got built in data encryption software for this purpose.

Compromising Virtual Machine OS

In cases where VM’s OS is compromised, VMs will be definitely compromised too. In virtual environment hypervisor is the sole controller of all the system. It is handling the usage/sharing of CPU, memory and network bandwidth. If it is hit by malware at one guest machine, other guest machines could also become under attack.

To improve hypervisor security following measures could be taken:

1.   Hypervisor software updates released by the vendor should be installed regularly. If possible the settings should be such that updates are installed automatically.

2.   Use thin hypervisor instead of normal hypervisor. It uses lesser resources. It also reduces chances of malware to attack by removing the extraneous software. It could be installed on laptop or desktop and functions as OS. It contains application program interfaces which serve as management and monitoring tools, thus separate OS and management software are not required resulting in less malware attacks.

3.   Always keep unused hardware disconnected when not in use i.e. for backups external disk drives are used. Those should be disconnected when idle. Same is the case for Multiple Network Installation Cards (NICs). Idle NICs should be removed when not in use.

4.   There should be data security between physical machine and virtual machine. When file sharing between both are not required the file sharing option should be disabled.

5.   If a certain VM is crashed due to any reason it is moved to another VM. During this movement the data is shifted to new host through network. That movement or shifting should be through some isolated network which is not vulnerable to open access of network users.

Admin Access Controls

While in physical infrastructure servers are managed by server administrators and networks by network administrators separately. As a contrast in virtual environment both server and network administrations are controlled by the same control interface. This scenario presents challenges for the security teams to prevent data breaches. Access controls over different levels have to be implemented to ensure data security.

The virtualization systems have some default settings which could be changed as and when required by administrators. However, if the same are not changed they may provide access to all options to the same administrator. That has to be taken care of.

Partitions and Other Resources

Usually more than one VM are running at a single physical server. The resources are allocated through hypervisor as per some schedule. Different data storage may be available to different VMs. RAM, CPU, and Bandwidth though have to be shared among available VMs. Due to any virus attack at any point of time a single VM may start using more resources than are allocated to it, resulting in some other VM lacking those. This challenge has to be tackled and has to be monitored by the admin.

Firewall Protection

When VMs are invented and deployed firewalls were in action much earlier before. After VM’s inception of course changes and updates occurred in firewall but there could still be old ones in action which could be unable to take care of latest threats. When there is any problem with certain VM usually it has backups and is shifted to any other working backup to maintain the continuity of business. In this case old conventional firewalls would also be handicapped.

 Virtual LAN Protection

When virtual LANs are grown to a certain limits it becomes difficult to manage the security of access control lists. The chances of intrusions increase. Proper antivirus and firewall protection need to be implemented with VLANs so that they do not become the source of intrusion for VMs.

Network Data Storage

Where VMs are directly connected to data storage it will make them vulnerable. A compromised VM will eventually compromise the data storage as well and will multiply the result of disaster. Data Storage Networks should always placed under protection of firewalls.

Sharing Antivirus

A separate antivirus has to be installed at every VM. Thus if a single VM is compromised it may not harm other residing VMs over the same physical machine. This may over load a physical machine as the antivirus will be using a substantial portion of available resources.

Summary

VMs security faces different challenges that may or may not be similar to physical machines. The challenges faced are more difficult to handle as compared to faced by physical servers. Storage, networks and accessibility at all levels require security accordingly. Conventional firewalls and antivirus software are unable to handle security issues when the number of VLANs increases from certain limits.