Article 1 of this series discusses some of the new and powerful hypervisor-based vectors for infection that arrive when an IT organization makes the move to virtualization. That article discusses how the hypervisor easily becomes a quiet risk to the unprepared organization. But the hypervisor itself is only one facet of the story. Along with its benefits, the move to virtualization brings about added risks associated with your virtual machines themselves.
Physical servers traditionally tend to operate in the Powered On state for essentially their entire operational life cycle. Once built, a physical server is rarely rebooted and almost never down for an extended period of time due to the always-on needs for its services. On the contrary, while virtual machines can be considered functionally equivalent with traditional physical machines, their easy-to-create nature and single-file composition makes them much more likely to exist in states other than On and Operational. For example:
Figure 1 shows a graphical representation of these differences in states between the two machine types.
Figure 1: Virtual machines and physical machines tend to spend their time in much different states.
The most problematic of these states is the situation in which a virtual machine for one reason or another finds itself in an extended state of powered down. While powered down, a virtual machine is little more than a file on a disk. The accumulation of these files across the IT environment can grow to become a critical issue for organizations that lack the capability to inventory their state and keep them patched.
With virtualization, most IT organizations are aware of the ease of creating new virtual machines. Virtualization's "copy and paste" process for accomplishing this task speeds the process of bringing on new services to meet the demands of business. But at the same time, it introduces a set of risks to the computing environment.
First is the problem of virtual machine spread. When the creation process grows absurdly simple, IT organizations can quickly find themselves awash in dozens or hundreds of new virtual machine instances to manage. Dealing with the management and licensing issues of a quickly growing server count can be a major hurdle for the unprepared organization.
This first problem of spread is obvious but merely administrative. There is a more critical yet often overlooked security-related issue associated with virtual machine inventory growth. That issue is virtual machine dormancy. When virtual machines can be created quickly, there comes the increased likelihood that some will be created for short-term uses and then later discarded. These virtual machines when powered off exist as benign files in a data storage location but can later become a vector for compromise when powered on.
The ever-changing nature of security threat prevention requires that functioning computers operate with a specific and up-to-date configuration to protect them against malicious threats in the environment. Consider the situation shown in graphical form in Figure 2. There it is easy to see how a virtual machine can be created and used, then powered off and forgotten, only to be later powered on without the proper security configurations needed to protect itself from compromise.
As this example shows, protections were implemented for every operational computer in the environment. But those protections were missed on the machine that was powered off during the update. The dormant virtual machine—powered off and missing the update—when later powered on, becomes a risk for compromise.
Figure 2: In the timeline of virtual machine dormancy, forgotten virtual machines are likely to be powered down during the period when critical security configurations are updated. This results in the virtual machine being unprepared for an exploit should it later be powered on.
When thinking about this issue of virtual machine dormancy, consider the answers to five questions that probe how your environment handles security and configuration updates in support of security:
In answering these questions, IT environments that make use of virtualization must incorporate tools that assess the risk of dormant virtual machines. That assessment requires two separate but linked phases. First, the location of dormant virtual machines—those that exist only as files on a disk—must be identified and inventoried prior to being powered on. By identifying dormant virtual machines while they remain benign, it is possible to move to the second phase.
In the second phase, virtual machines must be protected from the point they are powered on until they are considered healthy. This protection prevents the effect of external attacks from impacting the unprotected machine until the proper protections can be put in place. In accomplishing this mission, both agentless and agent-based tools can be used. Agentless management platforms provide a mechanism to scan entire network environments irrespective of location. Agentless management platforms integrate with common management frameworks at the OS level as well as the virtual platform level to interrogate network endpoints for specific information. When otherwise unmanaged network endpoints become active, only through the use of agentless mechanisms can these endpoints be quickly identified.
Part of that risk identification process should include the mapping of environment elements—virtual machines being only one example—to their relevance to the business. Best-in-class tools provide the ability to map network elements such as virtual machine composition to business applications. This gives the IT organization an easy way to identify potential threats and prioritize them based on risk, impact, and business priority.
Agent-based tools enable richer management capabilities of predetermined IT assets. With agents installed to virtual machines at the time of their build, the agents have the onboard ability to identify when they have been powered on. They can provide protections from within the virtual machine while incorporating the necessary configuration updates as identified by management servers.
With the potential for entirely new states of operation associated with virtual machines comes the need for new tools. These tools ensure the proper configuration of machines even during extended periods of being powered off. Only by leveraging the right set of tools that enables monitoring for dormant machines can IT environments truly protect themselves against the accidental exposure that can occur by simply powering on a forgotten or expired virtual machine.