Risks Of Virtualization In Public And Private Clouds

Risks Of Virtualization

Server virtualization is one of the cornerstone technologies of the cloud. The ability to create multiple virtual servers that can run any operating system on a single physical server has a lot of advantages.

These advantages can appear in public, Infrastructure as a Service (IaaS), as well as in private clouds.

However, it also brings some risks.

Virtualization reduces the number of physical servers required for a given workload, which brings cost benefits. It also allows for more flexible sizing of computer resources such as CPU and memory. This in turn tends to speed up development projects, even without automatic provisioning. Virtualization can even increase the security of IT because it is easier to set up the right network access controls between machines.

So in order to get real benefits, steer clear of the risks. A pretty extensive overview of these risks was written by the US National Institute of Standards and Technology (NIST). You can find it at Special Publication 800-125. This article is partly based on that.

Let us first get some of the important concepts straight. The host is the machine on which the hypervisor runs. The hypervisor is the piece of software that does the actual virtualization. The guests then, are the virtual machines on top of the hypervisor, each of which runs its own operating system.

The Hypervisors are controlled through what is called the ‘management plane’, which is a web console or similar that can remotely manage the hypervisors. This is a good deal more convenient than walking up to the individual servers. It is also a lot more convenient for remote hackers. So it is good practice to control access to the management plane. That might involve using two-factor authentication (such as smart cards), and only giving individual administrators the access that is needed for their task.

An often mentioned risk of virtualization is the so-called ‘guest escape’, where one virtual machine would access or break into its neighbor on the same virtual machine. This could happen through a buggy hypervisor or insecure network connections on the host machine. The hypervisor is a piece of software like any other software. In fact, it is often based on a scaled-down version of Linux, and any Linux vulnerability could affect the hypervisor. However, if you control the hypervisor, you control not just one system, you can control the entire cloud system. So it is of the highest importance that you are absolutely certain that you run the right version of the hypervisor. You should be very sure of where it came from (its provenance), and you should be able to patch or update it immediately.

Network Design

Related to this is the need for good network design. The network should allow real isolation of any guest, so that they will not be able to see any traffic from other guests, nor traffic to the host.

virtualization-design

An intrinsic risk of server virtualization is so called ‘resource abuse’, where one guest (or tenant) is overusing the physical resources, thereby starving the other guests of the resources required to run their workloads. This is also called the ‘noisy neighbor’ problem. To address it can require a number of things. The hypervisor might be able to limit the over usage of a guest, but in the end, somebody should be thinking about how to avoid putting too many guests on a single host. That is a tough balance to strike: too few guests means you are not saving enough money, too many guests mean you risk performance issues.

In the real world, there are typically a lot of virtual servers that are identical. They run from the same ‘image’, and each virtual server is then called an Instance of that image, or instance for short.

Then, with virtual servers it becomes easy to clone, snapshot, replicate, start and stop images. This has advantages, but also creates new risks. It can lead to an enormous sprawl or proliferation of server images that need to be stored somewhere. This can become hard to manage and represents a security risk. For example, how do you know that when a dormant image is restarted after a long time, that it is still up to date and patched? I heard a firsthand story of an image that got rootkitted by a hacker.

So the least you should do; is do your anti-malware, virus and version checking also on images that are not in use. Even when you work with a public IaaS provider, you are still responsible for patching the guest images.

In summary, server virtualization brings new power to IT professionals. But as the saying goes, with great power comes great responsibility.

By Peter HJ van Eijk

Business Virtual

Open Virtual Exchange (OVX) – Helping DSPs Fast Track the Monetization of SDWAN

Open Virtual Exchange (OVX) Bring agility and speed to market with intelligent network automation Digital Service Providers (DSPs) do have high expectations from virtual network services such as Software-Defined WAN (SD-WAN), as it promises to ...
Virtana

Episode 8: Managing Cloud Strategy During the Chaos of 2020, Plus an Outlook for 2021

An Interview with Kash Shaikh, CEO of Virtana Companies are wrestling with the idea of moving to the cloud, staying on-prem or finding a hybrid solution. Kash Shaikh, the new CEO of Virtana, looks at ...
Martin Mendelsohn

How Will COVID-19 Impact Security Talent?

New Security Talent As we emerge from the era of COVID-19, unemployment will recede, and new jobs will be created more rapidly than jobs were lost between March and May of this year. We’re already ...
Gary Taylor

6 Organizational Challenges for Cloud Services

Cloud Service Challenges Organizations have rapidly come to the realization that digital cloud services make a compelling business case for helping them navigate this difficult pandemic year. The market for cloud services is expected to ...
Ronald van Loon

The Future of Work: Confronting One of the Biggest Challenges of the Next Decade

The Future of Work Technologies like artificial intelligence (AI), machine learning (ML), and automation in all of its forms can augment human workers and enable them to pivot to more valuable work, and perform their ...

PROXY SERVICES

The CloudTweaks technology lists will include updated resources to leading services from around the globe. Examples include leading IT Monitoring Services, Bootcamps, VPNs, CDNs, Reseller Programs and much more...

  • Smartproxy

    Smartproxy

    Smartproxy is a rising star in the constantly growing proxy market. Smartproxy offers awarded customer service, impressive performance, and is serious about your anonymity (yes, cybersecurity matters). The latest features developed by Smartproxy are 30 minute long sticky sessions and Google Proxies. Rumor has it, the latter guarantee 100% success rate

  • Bright Data

    Bright Data

    Bright Data’s network is one of the most robust of its kind globally. Here are its stark advantages: Extremely stable connection for long sessions (99.99% uptime guaranteed). Free to integrate with our Proxy Manager which allows you to define custom rules for optimized results. Send unlimited concurrent requests increasing speed, cost-effectiveness, and overall efficiency.

  • Rsocks

    Rsocks

    RSocks team offers a huge amount of residential plans which were developed for plenty of tasks and, most importantly, has been proved to be quite efficient. Such variety has been created on purpose to let everyone choose a plan for a reasonable price, online, rotation and other parameters.

  • Storm Proxies

    Storm Proxies

    Storm Proxies' network is optimized for high performance and fast multi-threaded tools. You get unlimited bandwidth. No hidden costs, no limits on bandwidth. Try Storm Proxies 100% Risk Free. If you are not happy with the service email us within 24 hours of purchase and we will refund you.