Many of the virtualization security people I have talked to are waiting patiently for the next drop of leaked VMware hypervisor code. But the real question in many a mind is whether or not this changes the the threat landscape and raises the risk unacceptably. So let’s look at the current hypervisor threat landscape within the virtual environment to determine if this is the case, and where such source code will impact. Are there any steps one can take now before the code drop is complete to better secure your environment?
Articles Tagged with SMT
On 9/22 was held the Virtualization Security Podcast featuring Anil Karmel, Solutions Architect at Los Alamos National Library (LANL), to discuss their implementation of secure multi-tenant Cloud. LANL makes extensive use of the entire VMware product suite from vCloud Director down to the vShield components to implement their SMT cloud. They have also added into their cloud their own intellectual property to improve overall cloud security. It was a very interesting conversation about the state of SMT today.
I just finished reading, yet another Multi-Tenancy Design/Overview that claims to be secure or trusted. While I will agree that this particular design does cover Availability and some GRC (Governance, Regulatory, and Compliance) it is severely lacking in Integrity and Confidentiality. The design even went as far as saying the cloud/virtual administrator requires “COMPLETE VISIBILITY.” I was really taken aback by those words. Why does an administrator need ‘COMPLETE VISIBILITY?’ Which leads me to the question is Integrity and Confidentiality possible within any cloud or virtual environment? Or is it purely based on TRUST?
If so this is an appalling state of virtual and cloud environment security.
Encryption is important, encryption within a VM even more important. But the question is how to do this securely without allowing the encryption keys to be seen by an administrator of the virtual environment and that supports vMotion or LiveMigration. The solution is per VM encrypted memory, but something that makes use of hardware, out of band key exchange, and supports vMotion or LiveMigration. This may be a tall order but I believe it is necessary to fully realize Secure Multi-Tenancy.
Secure Multi-Tenancy (SMT) is all about protecting the data from all who do not have access to manipulate or view such data. Current SMT thoughts are in the direction of Integrity and Confidentiality as Availability is well understood. To do this, I have suggested that we need to have better encryption or digital signatures available to the VM, and generally this implies hardware encryption via some device like TPM/TXT/HSM, etc. The reason for this is:
Can we use some of this Risky Social Behaviors post to aid us in finding an adequate definition for Secure Multi-Tenancy? Perhaps more to the point it can define how we look at multi-tenancy today. On a recent VMware Communities podcast we were told two things that seem contradictory to current security thinking. The first is that going to the cloud reduces your risk, and the second was that the definition of the cloud must include multi-tenancy.
Risk is measured differently by different groups of people, what may be a risk from a business perspective is a different risk from a security perspective. I would agree that from a business and ROI perspective, the cloud looks very attractive. But the statement you ‘reduce risk by going to the cloud’ without qualifiers such as business risk or security risk is delivering an incomplete message.
Business risk is related to the security risk. If your business depends on the security of your data then using the cloud could be a very risky venture at the moment.
The panel of the Virtualization Security Podcast on 5/27/2010 was joined by an attorney specializing in the Internet space. David Snead spoke at InfoSec and made it clear that there was more to secure multi-tenancy (SMT) than one would imagine. The first question was “how would you define tenant?” which I believe is core to the discussion of SMT as without definitions we have no method of communicating. Before we get to David’s response, we should realize that nearly every one has their own definition of Tenant for a multi-tenant solution.