IBM: information security is being virtually ignored
Companies are cutting IT expertise and looking to savagely trim-back infrastructure costs. And virtualisation, with its promise of lower hardware costs is usually the weapon of choice. However, could all this paring back taking us closer to a serious security breach?
Well, IBM certainly thinks so. And I agree. Given that â€œyou canâ€™t attack what you canâ€™t seeâ€, PC-based servers flash like a tart on a drinking binge.
They all use Intelâ€™s ubiquitous x86 processor or the AMD variant, but this cheap, one size fits all solution is weak and wide open to attack, unlike its bigger cousins.
IBM warns against virtualisation for any system holding critical regulatory compliant data. Especially virtualised Intel x86-based systems used in PCI DSS environmentsâ€¦
Intelâ€™s chips a security gamble in Las Vegas
This yearâ€™s Las Vegas InterOp show has uncovered some disturbing home truths that Iâ€™ve long been shouting about. IBMâ€™s x86 virtualisation security revelation is just one of them. Exactly what is the deal here?
Joshua Corman is the principle architect in IBMâ€™s Internet Security Systems Division and a respected member of the security community, not a marketing man out to grab a sound bite. And heâ€™ll make virtualisation players like VMWare and even Microsoft feel very uneasy.
And his message to the banking, financial and regulated community couldnâ€™t be clearer.
â€œI highly recommend you donâ€™t adopt virtualisation for any regulated project.â€
Joshua points out that the headlong rush to save costs at all costs risks losing far more than any perceived â€“ or virtual gains. And normal piecemeal, token security tweaks wonâ€™t work. Security needs to be a ground up, fundamental element.
What many donâ€™t realise is that conventional patches against real threats like ConFlicker simply wonâ€™t work in a virtualised environment.
The dartboard analogy
Joshua asks us to regard a server as an â€œattack surfaceâ€, a target, if you like. So logically, the bigger the target, the more attractive it is to an attacker. Think of it as an attacker just having to hit the dartboard rather than the bullseye every time.
A virtualised server is a stall laid out with precious goodies, open to attack from all sides. To give VMWare credit, theyâ€™ve stripped back their key component, the Hypervisor, to an absolute bare minimum, mitigating the risk to the exposed attack surface. So good for them. Ironically, that actually creates another problem.
The VMWare â€œdietâ€ cannot accommodate encryption, so things are processed insecurely. Thatâ€™s bad. Really bad. Bad enough to make any compliance team very nervous indeed. But this isnâ€™t the half of it.
The existing PCI DSS regulations stipulate that a server should perform a single function. Wait a moment, donâ€™t virtualised servers all run on the same platform?
Thatâ€™s right, its one server pretending to be lots of virtual servers. Servers that arenâ€™t there. Unfortunately, the risk is there and suddenly, its very real indeed.
But while deploying virtualised environments does reduce corporate security substantially, Joshua offers some ways to improve things, by choosing your virtualisation tools carefully.
Use bare-metal type 1 Hypervisors, never the free Type 2 ones intended for test and proof of concept environments. And one fundamental thing, so often ignored when carried along on virtualisation euphoria.
Never mix test and production environments, even if a virtualised server has the capacity. Because it doesnâ€™t have the capacity to carry the risk.
I admire both Joshuaâ€™s courage for taking this stand and IBM for allowing him to do so. After all, building corporate data centres and PC system virtualisation is IBMâ€™s core business. Does this signal the move away from virtualisation Iâ€™ve been pushing for?
Horses for courses
Wow, thereâ€™s another gambling metaphor. I must be on a roll. Whoops, thereâ€™s another one! Iâ€™ve suggested that the future of the Cloud and even large corporate data centres lies not in some virtualised, steroid-bloated PC server, but in bespoke systems, the cloud mainframe. And who better to do that than the mainframe building daddy of them all, IBM?