Virtualization
Stop the superuser threat
Privileged accounts in virtualized
environments should be properly managed to
address security and compliance issues.
by Michael Liou
As enterprises adopt virtualization to
reduce data center costs, improve business
agility and ensure business continuity, they
should take appropriate measures to address
and control security risks that are
intensified in virtualized environments. In
particular, virtualization requires more
diligent management of privileged accounts.
Operating systems include a native
"superuser"
account that gives a user or application
unlimited privileges on a given server. On
UNIX servers, this is the root account, and
it is the administrator account on Windows.
Anyone with superuser-level access can read,
write and delete files, start and stop
services, and even read and modify audit
logs. In many data centers, this account is
a security risk because its account password
is often common knowledge among a team of
server administrators.
Virtualization significantly amplifies
this vulnerability, because it exposes a
larger number of virtual machines–each of
which may have different functions from both
an application and business perspective–to a
single policy violation.
These vulnerabilities are especially
troubling in the light of regulatory
mandates such as Sarbanes-Oxley, the Payment
Card Industry data security standard and
European Union privacy directives. These set
the standards for IT organizations to
diligently control access to sensitive or
private data, and serious consequences often
accompany any failure to do so. IT
organizations should, therefore, carefully
guard against the risks virtualization
presents in terms of both data security and
regulatory compliance.
Securing the virtualization architecture
With virtualization, operating systems
and their respective superuser accounts
exist on both the physical hosting layer and
the virtual server layer. Each physical
server has a single hosting layer–sometimes
referred to as the hypervisor or privileged
partition–which supports all of the
dependent virtual servers. This physical
server layer has an associated superuser
account. Every virtual machine hosted on
that physical server also has its own
instance of the operating system and an
associated superuser account.
For example, a physical server hosting
five virtual servers would have six
superuser accounts: one for the physical
server and one for each of the five virtual
servers. All five virtual server superuser
accounts need to be governed appropriately.
Anyone with superuser access to one of those
virtual servers could not only wreak havoc
on that individual virtual server, but also
by consuming a disproportionate amount of
physical processing power, memory or network
bandwidth, the other four virtual servers
could be affected as well.
The major security risk associated with
virtualization, however, is the hypervisor
layer. With superuser access at the
hypervisor level, someone can directly and
drastically impact all five virtual servers
running on that one physical machine.
Virtual servers are often consolidated
into a single file or set of files to make
moving them from one physical server to
another easier. Someone with superuser
access at the hypervisor may have
unregulated access to these files. They
could potentially remove a virtual server's
entire image file with a few
keystrokes–which is roughly equivalent to
breaking into the server room and walking
away with an entire physical machine,
including all of its data. Therefore,
organizations should take appropriate
measures to prevent misuse of superuser
privileges.
Mitigating risk
To lessen the risk to the virtual
servers, IT organizations can enforce
appropriate access and provide
accountability through auditing.
Appropriate access can be maintained by
following the principle of least privilege,
which states that users are only granted the
ability to perform those actions required by
their job function. Multiple users may
require access to various server resources,
but rarely does a single user require
unlimited privileges for all of a server's
resources. Risk is thus mitigated by
granularly segregating the duties assigned
to each user–whether or not those duties
require superuser access.
For example, the administrator of a sales
application running on a virtual server may
need hypervisor access to back up
configuration files for that application.
Such a user can be granted the right to copy
the files for this particular virtual
server, without being given the right to
modify configuration files for any of the
other four virtual servers running on that
same physical machine.
With appropriate privilege controls in
place, IT organizations can also ensure user
accountability through detailed auditing. A
review of audit logs will reveal all
activities that have taken place on physical
and virtual servers. These logs reveal all
actions, including those performed from the
superuser account.
There may be multiple users sharing a
superuser account, so there should be a way
of determining responsibility in the event a
security breach or policy violation occurs.
Simply auditing actions by account is not
enough. IT organizations should be able to
attribute actions to the specific users who
perform them. In addition, audit services
should be tamperproof, so users cannot
suspend or modify the logs.
Governing host access
In a virtualized environment, with
increased risk at the hypervisor layer, an
additional layer of protection is needed to
address the vulnerabilities that the
superuser account introduces. Many
organizations are addressing this through
host access-management solutions, which
allow for the creation of specific, detailed
security policies that govern the
interaction each user can have with each
physical and virtual server.
These solutions support segregation of
duties by enabling IT managers to define
server management roles, create appropriate
access policies for these roles and then
assign specific users to these roles. These
solutions also audit all management actions
tracing them back to the original user ID.
So, even in situations where a user or
process needs to have superuser access, the
audit record accurately identifies who did
what.
An effective host access-management
solution should interoperate with both the
operating system and the virtualization
platform of choice. In addition, security
policies need to be created, deployed and
modified across both virtual and physical
platforms in a unified manner. With the
proper controls, virtualization can deliver
its promised benefits, while allowing IT to
operate securely within the bounds of
regulatory constraints.
Michael Liou is senior product
marketing manager for identity and access
management at CA, Islandia, N.Y.
For more information
(click here)