For businesses subscribing to public cloud computing strategies, one of the most consistent concerns has been how to ensure the safety of data hosted in virtual environments.
"If you're planning on moving applications running on physical servers in your data center to a public cloud environment, it's important to be aware of the fact that there will be additional risks," IT industry veteran Paul Rubens wrote for eSecurity Planet. "These stem from the fact that your servers in the cloud will be hosted on virtual machines (VMs) in a shared computing infrastructure. The risks tend to be downplayed by many cloud hosting companies, but they are very real nonetheless."
One of the risks is that the hypervisors, or VM managers, which run cloud servers are built by only a select few manufacturers. As a result, a cybercriminal who discovers an exploit in a single hypervisor blueprint could be a danger to literally thousands of hosts.
In functional terms, one potential threat is hyperjacking, or subverting the manufacturer's hypervisor to insert a rogue replica on the cloud server.
"Since hypervisors run at the most privileged ring level on a processor, this would be hard or even impossible for any operating system running on the hypervisor to detect," Rubens wrote. "In theory, a hacker with control of the hypervisor could control any virtual machine running on the physical server."
Other virtualization-specific attack vectors include:
- VM escape, in which cybercriminals break out of infiltrated VMs to directly interact with the host operating system
- VM hopping, which allows attackers to move from one virtual server to the next or even gain root access to physical hardware
- VM theft, or the ability to electronically steal a file hosted on a VM
There are several ways to monitor and defend these environments, Rubens said, including diverting VM traffic through an intrusion prevention system (IPS) or, more commonly, implementing IPSs and firewalls on each physical host.
Myth persists in public cloud
There are undoubtedly certain security risks that companies must account for when managing virtualization and cloud computing strategies, but Security Week columnist Chris Hinkley suggested that there are some damaging misconceptions which distract attention from the real issues at hand. For instance, some companies still fail to acknowledge the level of isolation they can achieve within a public cloud environment.
"Albeit a common perception, public cloud hosting is not shared hosting," he wrote. "While organizations are using a common shared infrastructure, the data, networks and device policies can be completely segregated. It's possible to set up the public cloud environment in a way that forces all external and semi-external traffic to traverse the network. This means companies will be subject to the same security countermeasures and inspections regardless of the source of traffic."
Another myth he pointed to is that the cloud can never be as secure as a dedicated on-site server, though this misconception seems to finally be fading. Hinkley reminded readers that public cloud environments are built and managed by specialized hosting companies who are constantly looking out for emerging attack methods and ways to defend their systems. For many small and even mid-size companies, the reality is competing priorities will always limit the time and resources available for these crucial tasks.
Virtualization Security News from SimplySecurity.com by Trend Micro