‘Yes, Hypervisors Are Vulnerable’
Given the massive popularity of virtualization/VMMs/hypervisors in enterprise datacenters, this article by Gartner’s Neil MacDonald struck a chord with me. Like Neil, I have always been wary of the relative security of hypervisors and their ability to remain truly secure/hardened:
A breach of the virtualization platform which results in an escape to the hypervisor represents a worst-case security scenario. I’ll reiterate what I’ve been saying for more than 4 years:
- The virtualization platform (hypervisor/VMM) is software written by human beings and will contain vulnerabilities. Microsoft, VMware, Citrix, …. all of them will and have had vulnerabilities.
- Some of these vulnerabilities will result in a breakdown in isolation that the virtualization platform was supposed to enforce. This is not good.
- Bad guys will target this layer with attacks. The benefits of a compromise of this layer are simply too great.
- While there have been a few disclosed attacks, it is just a matter of time before a widespread publicly disclosed enterprise breach is tied back to a hypervisor vulnerability.
What do you do? I’ve written about this extensively for clients. First and foremost, extend the your vulnerability and configuration management processes to this layer just as you would for any sensitive OS. In fact, I’d argue that the virtualization platform is the most sensitive x86-based OS in your data center.
Does your organization use hypervisors? MacDonald’s article, including the links it references, are more than worth your time. In a word: scary stuff. If hypervisors aren’t in your configuration management and vulnerability practices, it’s time you put them there.
(Via @Beaker on Twitter)
###
MIPRO Consulting is a nationally-recognized consulting firm specializing in PeopleSoft Enterprise (particularly Enterprise Asset Management) and Business Intelligence. You’re reading MIPRO Unfiltered, its blog. If you’d like to contact MIPRO, email is a great place to start, or you can easily jump over to its main website. If you’d like to see what MIPRO offers via Twitter or Facebook, we’d love to have you.
More nerdery posts.
