As enterprises adopt virtualization to reduce data center costs, improve business agility and ensure business continuity, they should take appropriate measures to address and control security risks that are intensified in virtualized environments. In particular, virtualization requires more diligent management of privileged accounts.

Operating systems include a native "superuser" account that gives a user or application unlimited privileges on a given server. On UNIX servers, this is the root account, and it is the administrator account on Windows. Anyone with superuser-level access can read, write and delete files, start and stop services, and even read and modify audit logs. In many data centers, this account is a security risk because its account password is often common knowledge among a team of server administrators.

Virtualization significantly amplifies this vulnerability, because it exposes a larger number of virtual machines–each of which may have different functions from both an application and business perspective–to a single policy violation.

These vulnerabilities are especially troubling in the light of regulatory mandates such as Sarbanes-Oxley, the Payment Card Industry data security standard and European Union privacy directives. These set the standards for IT organizations to diligently control access to sensitive or private data, and serious consequences often accompany any failure to do so. IT organizations should, therefore, carefully guard against the risks virtualization presents in terms of both data security and regulatory compliance.

Securing the virtualization architecture

With virtualization, operating systems and their respective superuser accounts exist on both the physical hosting layer and the virtual server layer. Each physical server has a single hosting layer–sometimes referred to as the hypervisor or privileged partition–which supports all of the dependent virtual servers. This physical server layer has an associated superuser account. Every virtual machine hosted on that physical server also has its own instance of the operating system and an associated superuser account.

For example, a physical server hosting five virtual servers would have six superuser accounts: one for the physical server and one for each of the five virtual servers. All five virtual server superuser accounts need to be governed appropriately. Anyone with superuser access to one of those virtual servers could not only wreak havoc on that individual virtual server, but also by consuming a disproportionate amount of physical processing power, memory or network bandwidth, the other four virtual servers could be affected as well.

The major security risk associated with virtualization, however, is the hypervisor layer. With superuser access at the hypervisor level, someone can directly and drastically impact all five virtual servers running on that one physical machine.

Virtual servers are often consolidated into a single file or set of files to make moving them from one physical server to another easier. Someone with superuser access at the hypervisor may have unregulated access to these files. They could potentially remove a virtual server's entire image file with a few keystrokes–which is roughly equivalent to breaking into the server room and walking away with an entire physical machine, including all of its data. Therefore, organizations should take appropriate measures to prevent misuse of superuser privileges.

Mitigating risk

To lessen the risk to the virtual servers, IT organizations can enforce appropriate access and provide accountability through auditing.

Appropriate access can be maintained by following the principle of least privilege, which states that users are only granted the ability to perform those actions required by their job function. Multiple users may require access to various server resources, but rarely does a single user require unlimited privileges for all of a server's resources. Risk is thus mitigated by granularly segregating the duties assigned to each user–whether or not those duties require superuser access.

For example, the administrator of a sales application running on a virtual server may need hypervisor access to back up configuration files for that application. Such a user can be granted the right to copy the files for this particular virtual server, without being given the right to modify configuration files for any of the other four virtual servers running on that same physical machine.

With appropriate privilege controls in place, IT organizations can also ensure user accountability through detailed auditing. A review of audit logs will reveal all activities that have taken place on physical and virtual servers. These logs reveal all actions, including those performed from the superuser account.

There may be multiple users sharing a superuser account, so there should be a way of determining responsibility in the event a security breach or policy violation occurs. Simply auditing actions by account is not enough. IT organizations should be able to attribute actions to the specific users who perform them. In addition, audit services should be tamperproof, so users cannot suspend or modify the logs.

Governing host access

In a virtualized environment, with increased risk at the hypervisor layer, an additional layer of protection is needed to address the vulnerabilities that the superuser account introduces. Many organizations are addressing this through host access-management solutions, which allow for the creation of specific, detailed security policies that govern the interaction each user can have with each physical and virtual server.

These solutions support segregation of duties by enabling IT managers to define server management roles, create appropriate access policies for these roles and then assign specific users to these roles. These solutions also audit all management actions tracing them back to the original user ID. So, even in situations where a user or process needs to have superuser access, the audit record accurately identifies who did what.

An effective host access-management solution should interoperate with both the operating system and the virtualization platform of choice. In addition, security policies need to be created, deployed and modified across both virtual and physical platforms in a unified manner. With the proper controls, virtualization can deliver its promised benefits, while allowing IT to operate securely within the bounds of regulatory constraints.

Michael Liou is senior product marketing manager for identity and access management at CA, Islandia, N.Y.

For more information (click here)