II. Risk of Virtualisation in Universities

/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */ 
In view of a numerous benefits of virtualisation, virtualisation technology has recently gained popularity in the marketplace. According to Gartner, percentage of workloads running on virtual machines will jump from 16% to 50% by the end of 2012. Some overseas universities (e.g. Ohio University, Indiana University and Singapore's Insitute of System Science) also deployed virtualisation in their data centres recently for cost-saving purpose. However, universities should consider the risks and vulnerabilities prior to implementing virtualisation technology and examples of these risks are:
1. Inexperienced Staff
The universities only embracing the virtualisation technology not until recently, therefore the universities are less familiar with the implication and risks of the virtualisation technology. The universities' staff are often found to have no or little experience in evaluating the virtualisation products that meet the universities' requirements. However they have to conduct a thorough review of the deployment of the virtualisation tools and applications on the possible effect of security. Lack of staff expertise may result in mis-configuration of virtual machines, such as unnecessary ports and services. Those vulnerabilities will extend to each instance of the virtual machine that is replicated from that build. Therefore, it is vital that IT staffs are trained properly on the installation, hardening and maintenance of the virtual machines.

2. Increased Channels for Attack

Hosting multiple virtual machines on a single physical machine increases the attack surface in the virtual environment and the risk of VM-to-VM compromise. Attackers can compromise a single virtual machine first and use the "virtual machine escape" technique to control all virtual machines within the virtualisation host. Moreover, the implementation of virtualisation may be performed by a number of departments and administrative units within universities. The presence of decentralised network within the universities may increase the risk of attacks on virtualised systems. As a result, appropriate intrusion detection and prevention systems should be implemented to detect malicious activity at the virtual-machine level, regardless of the location of the VM within the virtualisation environment.

3. Change Management Control

With virtualisation, there are often software or firmware updates in place below the operating system. Making changes to the virtualisation host are as simple as editing a file. However, it can impact the virtualisation host, as well the entire virtualisation environment underneath. Dedicated IT security staff within universities may not have relevant knowledge in managing multiple virtual machines instances. For example, inappropriately applying patches to a virtualisation host that support numerous virtual machines can cause problems and interruptions to production environment, particularly if a system reboot is required. Moreover, the risk of improper change control process for the virtualised machines is higher especially for the universities that do not currently have an established change management process in place within the universities. 

4. IT Asset Tracking and Management

Since the implementation of virtual machines is comparatively simpler than bringing a physical server online, there is a significant amount of oversight through the asset tracking process. A standard process may not be in place to track and manage the information technology asset in the universities. Difficulty in asset tracking may lead to failure in compliance with licensing requirements and poor asset management. 

5. Securing Dormant Virtual Machines

When a virtual machine is offline, any application can still access the virtual machine storage over the network. Virtual machines are therefore susceptible to malware infection. However, dormant VMs do not have the ability to run an antimalware scan agent. To implement virtualisation, universities should first secure these dormant virtual machines and maintain cohesive security in the virtualisation environment. 

6. Sharing Data between Virtual Machines

Virtual network traffic between virtual machines on the same physical server never leaves the physical box. Traditional security tools may not be able to analyse and monitoring of the virtual network traffic and confidential or legally protected data can be compromised. To minimise the risk of unauthorised access to the confidential data, the confidential data should be segregated from other non-confidential data, e.g. placing them on a separate physical server.

Statistical Report

2010 State of Virtualisation Security Survey
A recent survey by Prism Microsystems reveals that 48% surveyed IT professionals rank "Lack of Staff Expertise" as a primary inhibitor to effectively securing their virtual environment. Although 86% consider IT security in virtualised environment is as important as the rest of their traditional IT architecture, only around 20% implement virtual-environment specific security solutions, leaving the remaining using existing traditional security solutions (i.e. 58%) or no specific solutions (i.e. 20%) at all.
The top three security concerns on virtualisation are "Potential risk for single point of entry into multiple virtual machines" (i.e. 58%), "Introduction of new virtualisation platform can be attacked" (i.e.57%), and "Risk of unmonitored / invisible machines due to flexible deployment capabilities" (i.e. 53.9%). As for the implementation of security measures for virtualisation environment, less than 30% of respondents have implemented specific security tools to monitor and analyse activities directly from virtualisation layer.