Securing Vmware
Total Page:16
File Type:pdf, Size:1020Kb
June 2008 Securing VMware Analytics Report As IT groups spawn new virtual machines at a breakneck pace, security is too often an afterthought. Can VMware’s dominance of the enterprise server virtualization market buy us some breathing room? By Joe Hernick InformationWeek Analytics Reports InformationWeek Analytics | Securing VMware 2 TABLE OF CONTENTS 4 Author’s Bio 5 Executive Summary 6 Research Synopsis 7 Securing VMware: A Shifting Landscape 7 What’s Old Is New 9 Danger On The Horizon 10 Real Threat, But Few Real Answers 11 Enter The VMsafe 12 Fruits Of Their Labor 14 Who’s Responsible For Virtualization Security? 15 Road From Perdition 20 Appendix June 2008 © 2008 InformationWeek, Reproduction Prohibited InformationWeek Analytics | Securing VMware 3 TABLE OF CONTENTS 7 Figure 1: Primary Server Virtualization Platform 8 Figure 2: VMware ESX Hosts in Production 9 Figure 3: Virtualized Servers Per VM Host 10 Figure 4: Perception of VM Security Risk 12 Figure 5: Addressing Security Concerns in Virtualized Environments 13 Figure 6: Approaches to Change Management/VM Provisioning 14 Figure 7: VM Security Tool Deployment Plans 15 Figure 8: Hyperjacking Concerns 16 Figure 9: Security Patch Management 17 Figure 10: VM-specific Security Tool Production 18 Figure 11: Planned Security Spending for Virtualized Environments 20 Figure 12: Involvement in Security Initiatives 20 Figure 13: Involvement in IT Operations 21 Figure 14: Job Title 21 Figure 15: Company Revenue 22 Figure 16: Industry 22 Figure 17: Company Size June 2008 © 2008 InformationWeek, Reproduction Prohibited InformationWeek Analytics | Securing VMware 4 Joe Hernick has covered virtualization, storage, operating sys- tems, voice, and other topics for InformationWeek, Network Computing, and other publications for seven years. Joe sits on the editorial advisory board for Dark Reading and is a member of the CAIS Commission on Technology. He has been involved in start- ups, training, consulting, and most recently was a technology services manager at a Fortune 100 insurance company, where his work involved OS rollouts for 63,000 desktops, Y2K readiness, call-center load balancing, automated pharmacies, new-site con- struction, old-site consolidation, and HIPAA compliance. Joe currently manages InformationWeek’s Virtualization Test Lab, running VMware, Citrix Xen, Virtual Iron, Microsoft, and Parallels hosts. He holds a BA in Economics, a Master’s in Information Management and is a PMI-certified Project Management Professional. June 2008 © 2008 InformationWeek, Reproduction Prohibited InformationWeek Analytics | Securing VMware 5 Executive Summary: Our survey on the state of VMware security revealed some startling facts: Just four in 10 consider hyperjacking a realistic threat, and nearly half take a laissez faire approach to virtual machine provisioning and management. Some even let business units deploy VMs with no oversight, perhaps because 20% assert that VMs are safer than physical servers. The reality—and a concept that many IT and business managers fail to grasp—is that a virtual server is still a server. A production VM, and its host, must be held to the same level of rigor as a comparable physical production server, with identical change management policies for approval, deployment, patching, and other processes. We’re not saying we’d turn back the virtualization tide, even if that were possible. The ability to abstract servers from the physical world to the virtual—P2V—and consolidate mul- tiple legacy servers onto a smaller number of virtualization hosts is yielding signifi- cant financial and operational advantages, including a smaller attack surface and opti- mized performance. However, virtualization also creates management and security challenges not faced in legacy data center environments. For now, there are few new security concepts required once you enter the virtualized world. Traditional best practices are just as important, if not more important, than VM-specific security toolsets. Still, any hypervisor needs to have security baked in from the beginning, not tacked on as an afterthought. Armies of attackers are no doubt working feverishly for the bragging rights that will come with being among the first to hyperjack a high-value server. So are industry-leading virtualization vendors doing enough to keep us safe? VMware currently dominates the enterprise-server virtualization market, though Microsoft is in hot pursuit. We’ll examine whether VMware’s VMsafe program—which provides APIs with hooks into the ESX hypervisor—will pay off for IT, and maybe even help keep Hyper-V at bay. For this report, we interviewed security experts from VMware and VMsafe partner vendors and polled 423 business technology professionals to assess concerns over, and security strategies in place for, virtualized environments in real-world organizations. We talked to security professionals who support—and are critical of—the burgeoning virtualization-specific security market, and even had a chat with Simon Crosby, CTO of VMware competitor Citrix, regarding the state of virtualization security. What he had to say about VMware’s security initiatives may just surprise you. June 2008 © 2008 InformationWeek, Reproduction Prohibited InformationWeek Analytics | Securing VMware 6 Research Synopsis Survey Name: InformationWeek Analytics VMware Security Survey Survey Date: May 2008 Region: North America Number of Respondents: 423 Purpose: To examine security concerns and practices for virtualized servers among business technology professionals. Methodology: The InformationWeek Analytics VMware Security Study was fielded on the Web in May 2008. This report examines the responses of 423 business technology professionals. The sample for this project was taken from the subscriber base of InformationWeek. The results of the survey were aggregated and analyzed by representatives of InformationWeek. June 2008 © 2008 InformationWeek, Reproduction Prohibited InformationWeek Analytics | Securing VMware 7 Securing VMware: A Shifting Landscape Each security vendor we interviewed for this report is focusing on product development for VMware. And all of those vendors also have plans for Hyper-V and/or Xen product development. Making like Switzerland between VMware and Microsoft is a rational move—a reality backed up by our survey of 423 business technology professionals. VMware is still the dominant player in server virtualization, with 56% of installations, most Infrastructure3/ESX. But our poll reflects the growing influence of Microsoft: 24% of respondents listed either Hyper-V or Virtual Server 2005 as their primary server virtualization platforms. Citrix XenServer took third, with 7%. This is a far cry from estimates of 70% to 80% VMware ownership of the server virtualization landscape. An outlier? Maybe. While VMware has the longest track record and the broadest slate of product offerings, other vendors are racing to catch up. We expected Hyper-V to make a mark, but we must admit to being surprised by these results. Figure 1 Primary Server We want to be very clear on this point, because Virtualization Platform it informs our security recommendations: The Which virtual machine (VM) hosting/hypervisor system is virtualization market is still developing, with your organization's primary server virtualization platform? Hyper-V riding Windows Server 2008 into the data center this year, Citrix leveraging a large 45% VMware Infrastructure 3/ESX 52% Presentation Server installed base, and myriad Viruses boutique hypervisor vendors targeting niche 24% Microsoft (Virtual Server 2005 or Hyper-V) market segments. Before buying virtualization- specific security products, especially those that 7% Citrix XenServer hook into a particular VM infrastructure, make sure you know where you’ll be in a year or two. 2% Parallels/SWSoft/Virtuozzo For now, scrupulously applying the security les- 2% sons we all learned the hard way in the physical Oracle VM world should keep your virtual systems safe 1% while you plot a course—assuming you haven’t Novell SUSE/Xen gone VM wild. 1% Solaris Containers / Sun xVM WHAT’S OLD IS NEW 1% In our poll, when we asked about VM-specific Virtual Iron security plans, 39% said they don’t need special- 11% ized tools, opining that a VM is just another Other VMware server. 2% Other Well, yes and no. 3% None The problem is, the ease with which we can cre- Data: InformationWeek Analytics VMware Security Survey ate and deploy virtual servers has gone to a few of 423 business technology professionals IT pros’ heads—provisioning a VM takes literally June 2008 © 2008 InformationWeek, Reproduction Prohibited VMwareSecurity 1 52% Viruses InformationWeek Analytics | Securing VMware 8 minutes. People who ought to Figure 2 know better are dispatching VMware ESX Hosts in Production VMs into the wild at a pace that How many VMware ESX hosts are in production in your organization? outstrips internal security review and audit procedures. 4% More than 100 Blame it on budget pressure, 17% customer demand, weak man- 11-50 agement toolsets, lack of VM- specific policies, the animal 76% Fewer than 10 attraction of sexy technology, good-old human foolishness, 3% running out of data center 51-100 space, or any combination of the above. The fact is, many organi- Data: InformationWeek Analytics VMware Security Survey of 423 business technology professionals zations today are running ESX shops by the seat of their pants. And we don’t expect Hyper-V to help matters. But that’s another report. An ESX host, at its