Advertisement
Promo

Security threats Toolkit

Infosecurity Europe 2008

Virtualisation vendors warn of security challenges

Tom Espiner ZDNet.co.uk

Published: 15 Apr 2008 16:05 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Two major figures in virtualisation security have warned of challenges facing IT managers in implementing secure virtual environments.

Speaking at the RSA Conference in San Francisco on Friday, Simon Crosby, chief technology officer for XenSource, said security policies could be broken by misconfiguration.

"Virtualisation can challenge an IT organisation's infrastructure, which suddenly becomes dynamic," said Crosby. "You can shift a workload from server A to server B, but if the security policy doesn't follow, [virtualisation] has broken it. That's a challenge."

Crosby warned that throwing random data at the interface between the guest software and the controlling hypervisor could result in successful attacks.

"Attacks known to-date involve fuzzing the emulation interface between the guest and the hypervisor, but they are largely hypothetical," said Crosby. "Up until now, security has not been a major issue. Threats to the hypervisor are currently minor — there haven't been many attacks to date, although they will come."

IT managers should put in place systems to verify that virtual appliances haven't been modified, including systems that check open-source virtual Just Enough Operating Systems (JEOS) and Microsoft's Hyper-V appliance. "If you have your own [virtual] JEOS update itself that's a disaster waiting to happen. And Hyper-V has the full attack surface of any operating system, which is not a good thing," said Crosby.

Read this

Feature
Feature: Ten things you can do to help open source

Ask not what open source can do for you and your business, but what you can do for open source...

Read more +

Crosby said that in general virtualisation reduced the number of points of entry into operating systems, but that vendors relying on kernel access to implement security would run into difficulties. "We reduce the scope of threats because we reduce the attack surface of the operating system," said Crosby. "The challenge is the way security technologies rely on being inside the operating system to protect against attack."

Stephen Herrod, chief technology officer for VMware, who was also speaking at the RSA Conference, claimed virtualisation would improve IT security due to fewer third-party drivers introducing vulnerabilities. "The notion that the surface area of attack increases — well, there's an opportunity to have less layers running in the machine if it doesn't have a plethora of drivers plugging in and out," said Herrod.

Infrastructure vulnerabilities introduced through misconfiguration should be a concern for IT professionals, according to Herrod. "Virtual environments can be disruptive [due to] new APIs and security tools to plug into. Security issues can be caused by misconfiguration."

Herrod added that server virtualisation should be less of a concern than PC virtualisation security. "With server virtualisation the benefits are profound. Security is all centralised and managed from one place: there's only one image to patch. The challenge is to deliver an end-to end-secure and gorgeous PC experience."

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON
Infosecurity Europe 2008

Did you find this article useful?


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More in this Special Report

Blog: Social networking and portability

Blog: Social networking and portability

One of the more interesting speakers at Infosec's "Locking Down Social Networking Vulnerabilities" event today was Giles Hogben of the European Network and Information Security Agency (ENISA) more

ICO: Data-protection spot checks due this year

ICO: Data-protection spot checks due this year

The information commissioner has confirmed that his office will be getting new powers to carry out spot checks on any company in the UK holding data on individuals more

Infosecurity Europe 2008: Preview

Infosecurity Europe 2008: Preview

Over 11,000 delegates and 320 exhibitors will attend one of Europe's largest IT security shows on Tuesday at London's Olympia conference centre more

Security breaches down, says IT security report

Security breaches down, says IT security report

The latest Information Security Breaches Survey has reported that while the number of security breaches has fallen in the past two years, the average spend on defences has increased more

Facebook admits to increased attacks by spammers

Facebook admits to increased attacks by spammers

The social-networking site has come under increased attack by spammers and phishers this year, according to its head of security more

Security industry gears up for biggest UK event

Security industry gears up for biggest UK event

Infosecurity Europe 2008 is underway in London and will include keynotes and product demos from the some of the leading organisations in IT security more

Vendors urged to take responsibility for security

Vendors urged to take responsibility for security

When it comes to the security of hardware and software, suppliers should be put on the spot, argue experts at Infosecurity Europe 2008 more

Media lobbying 'watered down' data-misuse laws

Media lobbying 'watered down' data-misuse laws

As a result of media lobbying, the information commissioner says another serious data breach will need to occur before prison sentences for data misuse are imposed more

HMRC data loss blamed on targets

HMRC data loss blamed on targets

Merlin, Lord Erroll, believes targets and budgets rather than individuals should be blamed for the loss of 25 million UK citizens' confidential records last year more

Former White House adviser talks mobile threats

Former White House adviser talks mobile threats

Security strategist Howard A Schmidt discusses whether mobile attacks are overhyped and what new risks have been introduced by virtualisation more

Security expert voices virtualisation concerns

Security expert voices virtualisation concerns

Mikko Hyppönen, chief research officer for security specialist F-Secure, claims virtualisation technology will have its own specific security threats more

Lord: No proof any data was lost from HMRC

Lord: No proof any data was lost from HMRC

Security expert Merlin, The Earl of Erroll, claims no evidence has come to light to prove data was actually lost in last year's HMRC missing-disc incident more

More In Security threats


Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

Official Organizations Losing Data

How does this article from earlier today make you feel? How many more government, health service, or military officials are going to lose pen drives, DVDs, USB hard disks and even entire... More

2 comments

Twitter hack was DNS redirect

Twitter has said an attack on Thursday which took the site offline for many users was the result of a DNS redirect. A group calling itself the Iranian Cyber Army redirected users... More

1 comment

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Win a BlackBerry with Vlingo voice recognition

Win a BlackBerry with Vlingo voice recognition

What is ZDNet UK's usual tagline?

Competition closes - 14 Jan 2010


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters