Do you care about virtualization security?
Then get out of the security or virtualization biz.
Do you work for VMware?
Good. Go hire the guy that wrote it.
I’ll admit I might be a bit biased; Chris Hoff is a good friend (but I deny my wife’s accusation that we have a man crush thing going on). We’ve been doing a fair bit of work together and have some upcoming speaking gigs. But I like to think I can set my bias aside, that being a major part of my job, and Chris’ post on virtualization security is the best summary of upcoming issues I’ve seen yet.
Rather than repeat his Four Horsemen of the Virtualization Security Apocalypse, I’ll add on with a little advice on what you can do today, while waiting for VMware to hire Chris and get this stuff fixed. These suggestions are very basic, but should help you when you finally do have to run around fixing everything. Flat out, these aren’t anything more than Band-Aids to hold things together until we have the tools we need.
- Don’t mix high and low value VMs on the same physical system: If something is really really sensitive, don’t put it on the same VM as the beta version of your new social networking widget. At the least, this will let you apply the same security controls to the entire box, even if you can’t set controls between those VMs on the same hardware.
- Threat model VM deployments: Set a policy that security has to work with ops and threat model VM deployments. This will feed directly into the next suggestion, and get security into the game.
- Cluster VMs based on similar threat/risk profiles: If you have three VMs facing similar threats, try and group them together on the same physical server. This helps you apply consistent network-level security controls.
- Separate VMs where you need security barriers or monitoring in between: Some systems under like-threats still need to be separated so you can still apply security controls. For example, if you need to wall off a database and application, don’t put them on the same physical server which is the equivalent of dropping them into a black hole.
That’s three points that essentially say the same thing- clump stuff together as best as possible so you can still use your network security. Really freaking basic, so don’t pick on me for stating the obvious.
Oh, one last point, maybe try a little information-centric security? Over time we’re going to lose more and more visibility into network communications and won’t be able to rely on our ability to sniff traffic as a data-level security control. Between collapsing perimeters, increasing use of encryption, and data-level security controls, never mind business innovation like virtualization, our network-centric models will just continue to lose effectiveness.