In cloud computing, there are three basic service models: Software as a Service (SaaS), Platform as a Service (PaaS)...
and Infrastructure as a Service (IaaS). In addition, there are three basic deployment models: public, community and private. Virtualization is often used in all of these cloud computing models and deployments for its many benefits, including cost-efficiency, increased uptime, improved disaster recovery and application isolation.
When dealing with virtualization in cloud deployment, it doesn’t matter who is managing security, the provider or the enterprise customer, because the same security concerns will need to be addressed. As discussed in greater detail in a previous article about Cloud Forensics, when choosing a service and deployment model, be aware that SaaS provides the least control over the environment, while IaaS provides the most control. Similarly, in the public cloud, it is necessary to abide by the rules of the cloud service provider (CSP), while in the private cloud there is total control over the environment. The same goes for security, where a user can control a small percentage of the cloud deployment while the rest is controlled by the CSP. Without access to certain parts of the deployment model, the CSP will need to implement proper security measures.
When dealing with virtualization in cloud deployment, the same security concerns need to be addressed regardless of who takes care of it.
Security concerns when using virtualization in cloud computing
Despite the advantages that virtualization brings, it also introduces a number of security concerns:
- The hypervisor: A program that runs multiple virtual machines on the same physical machine. If vulnerability exists within a hypervisor, an attacker could exploit it to gain entry to the whole host, from which he or she would have access to every guest virtual machine running on the host machine. Since a hypervisor is rarely updated, an existing vulnerability could jeopardize the security of the whole system. If a weakness is discovered, it is critical to patch it up as soon as possible to prevent a potential compromise. In 2006, two rootkits, called Blue Pill, were developed to demonstrate they can be used to take control over a virtual host.
- Resource allocation: Data leaks are a risk when physical memory or data storage is used by one virtual machine and reallocated to another. Leaks occur when a VM that is no longer needed is deleted and the freed resources are allocated to another VM. When the new VM receives additional resources, it can use forensic investigation techniques to get an image of the whole physical memory, as well as data storage. The image can later be used for analysis, which can reveal important information left over from the previous VM.
- Virtual machine attacks: If an attacker successfully compromises one VM, he or she could attack others on the same host on the network over long periods of time. This is an increasingly popular method for cross-virtual-machine attacks, since traffic between VMs cannot be inspected by standard IDS/IPS software programs.
- Migration attacks: When necessary, migrating a VM can be easily done in most virtualization interfaces. The VM is sent over the network to
See Infosec Institute's article on Virtualization and Cloud Computing.
Mitigating security concerns
The items below describe how to mitigate the security concerns outlined above:
- The hypervisor: It's important to regularly check whether new updates for the hypervisor are available, and to update the system accordingly. By keeping the hypervisor current, it prevents an attacker from exploiting a known vulnerability and taking control of the host system, including all VMs running on it.
- Resource allocation: When reallocating resources from one VM to another, they both must be properly secured. The old data present in physical memory, as well as on the data storage, needs to be nullified by overwriting it with zeros. This prevents the VM from pulling the data out of memory or data storage and gaining access to important information still contained there.
- Virtual machine attacks: It's necessary to differentiate the traffic coming and going out from a VM on the same physical host. This will enable us to apply intrusion detection and prevention algorithms to catch a threat from an attacker as quickly as possible. This happens by using port mirroring, which copies the data flowing through one port on a switch to another port on a switch where IDS/IPS is listening and analyzing the information.
- Migration attacks: To protect against migration attacks, the network must be properly secured against the threat of MITM infiltration. This way, even if the attacker is able to compromise one VM, he or she won't be able to execute the MITM attack successfully. Additionally, it may be useful to send the data over a secure channel like TLS. Though some say it's always better to destroy and recreate a VM image when a migration is necessary, virtual machines can be migrated when done with care over a secure channel and in a network where MITM isn't possible.
There are various attacks that can be launched against virtualized cloud environments, but they can be eliminated if the proper security controls and procedures are in place when implementing and managing the cloud deployment.
Before trying to secure cloud environments, it's important to understand how these malicious attacks are executed. This will help ensure the enterprise's defenses are well suited to the threats the environment is most likely to encounter. After securing the environment, check whether the security measures have been properly implemented by trying to execute attacks. This can be done in-house or by hiring a penetration-testing company. It's always better to invest a little money into a more secure system and be safe, than to be sorry in the future.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance as well as security related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages and constantly writes security-related articles for his own website at www.proteansec.com.