Virtualization increases risk of data loss?‘ Let it be very clear that this is not my opinion but a quote  from an article published today by the ‘Automatiserings Gids’ (NL) in which it quotes James Lyne, security specialist at Sophos. Lyne made his statements during this podcast.

Normally I don’t respond to articles like this but this one is too ridiculous not to.

First of all, James Lyne is working for a Security/Antivirus manufacturer making these claims? Not very trustworthy. Do they have a new product to promote? The situation is identical to what Anne Jan wrote about on March 24th, ‘IT personnel lack communication skills‘.

Second of all, the claims made in the article do not show a very good understanding of reality.

I will try to translate and quote as precise and realistically as possible.

‘There is a bit of an unrecognized risk with the shift to virtualization that is compromising the security model that was traditionally in place. When you had a physical server, it was locked down in the data center and you controlled access to that resource using the operating system. You define access control lists that said that HR had access to this resource here or sales had access to these portions of data. With that physical system those access controls were very much a gate to getting access to the data because the only you could access it was over the network. With a virtual system we’re taking that physical hard drive and you’re putting it in a convenient file and that file, as it is the normal design of virtualization infrastructure, is placed on a SAN or some kind of shared storage, where people go to access data. And people are now not thinking about how they define controls over access to that file system. They’re not thinking about the fact that anyone who has access to the virtualization infrastructure now has raw access to the files that contain their most sensitive data.’

Sure. My SAN is like a big file server and every user in the company has access to my ‘shared storage’? Ever heard of fiber channel SANs, VLANs or separate storage networks, access controls on LUNs based on passwords, IP addresses or WWNs? OK, a virtual infrastructure administrator can access the raw data and maybe copy it and take it home or sell it. Then what? How is this different from the physical environment? Don’t you think if the administrator has access to the SAN he might probably also have access to the directory service which holds the encryption keys and passwords? If your own personnel steals data, you have a completely other problem which you should handle at the recruitment process/front door.

Also, 95 out of a 100 times the virtual infrastructure is housed in a datacenter due to supporting resources the infrastructure needs like power, cooling and rack space and physical access is limited to administrators only. It’s not as if storage is shared publicly by a server which is freely accessible.

I think your scenario is pretty far fetched, but then again, you probably have a nice product which solves this.

‘We are all running around worrying about these laptops that we leave on trains and yet in the infrastructure, this large shared infrastructure that has a fairly difficult to define access model, we’re leaving the data completely unencrypted’

Difficult to define access model? How come? True, you now have a virtual infrastructure and a SAN for which you need to define a security model but most virtualization vendors have added directory services integration to their product so access can be regulated centrally. And what’s the difference with a physical environment where you use shared storage? Why does virtualization increase the need for data encryption? Because virtualization is hot and you want a piece of the action?
Let’s look at it from the other side. Encryption comes with quite a performance penalty. Why should I care about encryption when my virtual infrastructure is in my datacenter and access to the data is only possible through one of the virtual servers.

‘What we’ve done is, we’ve taken physical servers and we’ve moved them to a virtual model without necessarily considering how we degraded segmentation, how the security model has changed, who has access to the data. And actually, when you start to think about that, where that data is located, it becomes quite an obvious practice (encrypting data). But right now with virtualization, noting it is not just about consolidation, it’s quite common for an organization to have these set of images serving their CRM system, that contains all of  their customer data, and to port it around the globe, geographically, to provide high availability, to put it onto back-up tapes.  Basically we’re finding these full systems, unintentionally, put into other business processes that don’t  consider the sensitivity of information they contain.’

Again, most of the time virtual infrastructures are housed in a data center and if data is replicated to an alternate location this is a secure location also. Back-up tapes are stored in an off site vault and SANs are placed in a datacenter most of the time. And if you’re that clever that you can intercept ‘unencrypted’ replicated data, this is done on a block basis. So you would have to know exactly which block has changed and 100% of the data must have been changed to replicate and reconstruct the original data.

‘It’s not just about encryption, it’s simple things like reviewing who has access to that part of the SAN where this data is contained because all of these access permissions you’re defining within the VM are irrelevant if you have access to that low level file. So doing those security audits, just thinking about the segmentation that you had with a physical system and you no longer have is a must practice.’

In my modest opinion, the last sentence contains the first useful thing statement James made during the podcast. Security and therefor access is a crucial part of the infrastructure and plays an important part in infrastructure uptime.

My conclusion: 5-10 minutes of podcast and 1 or 2 meaningful statements. OK, security is important and encryption can sometimes solve security issues but virtualization has nothing to do with this. Only too bad that I have to explain this nonsense to my customers because it was in the press.

If you’re really concerned about security in virtualized environments you really should listen to the Virtualization Security Roundtable podcasts on Talkshoe. Real life situations, network security, VMsafe Virtual Firewalls and so on.