Security practices wanting in virtual machine world, survey finds
Organizations leaning too heavily on virtualization vendors for protection, BeyondTrust finds
By John P. Mello, Jr.
May 09, 2013 — CSO — While organizations have been hot to virtualize their machine operations, that zeal hasn't been transferred to their adoption of good security practices, according to a survey released on Wednesday.
Nearly half (42 percent) of the 346 administrators participating in the security vendor BeyondTrust's survey said they don't use any security tools regularly as part of operating their virtual systems, and more than half (57 percent) acknowledged that they used existing image templates for producing new virtual images.
In addition, nearly two-thirds of the respondents (64 percent) revealed that their organizations do not have any controls in place that require a security sign-off before a new image or template is released.
Insecure practices when creating new virtual images is a systemic problem among administrators, said Michael Yaffe, BeyondTrust's senior director for product marketing. "As these guys are cloning images, we saw they could actually be perpetuating templates with vulnerabilities across the organization," he told CSO.
Unless security due diligence is done on those templates before they're duplicated severe, critical flaws can be spread throughout an organization, he continued. "While VMware is fantastic tool to help productivity, it can -- because of its scale and scope and people's ability to use it -- introduce significant security risks if you don't do your due diligence ahead of time."
Vulnerabilities spread by dirty templates can be in the guest operating systems on the virtual machine or in the virtual software itself, explained BeyondTrust's senior director for program management, Morey Haber.
In conjunction with its survey, BeyondTrust released a new plug-in for VMware vCenter that provides vulnerability information to virtual machine administrators in the existing VMware console. The tool adds a tab to the console that shows all the vulnerabilities and security risks of all running virtual machines.
"If an administrator clones a machine or rolls back a snapshot," Haber said, "the security risks that those machines represent are bubbled up to the administrator, and they can make decisions as to whether they should be powered on, off or left in state."
That's especially important if an organization must meet compliance rules like PCI and HIPAA. "When you deal with any of those regulatory initiatives, you shouldn't be bringing machines online that have vulnerabilities older than 30 days," Haber said.
"Our technology allows you to view that data in near-real time on those dashboards so you can make the proper assessments," he added.
While the findings in the survey are interesting, they're far from shocking, observed Simon Crosby, CTO and co-founder of Bromium, a maker of security software for virtual environments. "It's pretty clear that virtualization has ripped up operational practices and that security lags woefully behind the operational practice of managing the virtual infrastructure," he said in an interview.
Making matters worse is that traditional security tools don't work very well in virtual environments, he added.
In addition, he continued, system operators believe that somehow virtualization provides their environments with security not found in the world of physical machines. "Because their virtual machines are hidden in the data center, they believe that they're more secure," he said. "They certainly are not."
Those sentiments are fed by security vendors, he added. "What worries me a lot is that the language used by the security industry is absolutely bankrupt," he said. "Every single security vendor promises security, and they all lie."
"Every product sounds the same," he continued. "They all make you secure. And none of them deliver."
Read more about application security in CSOonline's Application Security section.