In the area of virtualisation, three general risk areas have been identified.
The first revolves around traditional security risk areas. These risks affect both virtual and physical machines. Virtual software layers expand the potential attack surface for targeted malware and breach attempts. In some cases, a malware-infested virtual machine can be introduced to attack a network from within. The risks of data loss also increase with virtualisation. With the creation of virtual networks, more confidential data is located at more areas both inside and outside of the organisation. Virtual machines can also suffer from gaps in the security updates and patching process. Furthermore, traditional protection models can also fail to track the fluidity of virtual instances, thereby leaving open gaps for intrusions.
The second consists of risks exclusive to virtual environments. Accelerated provisioning may enable organisations to provision and run new services much more rapidly, but it gives little time to identify and address security risks. Moreover, sensitive data previously restricted to certain trust domains can now reside beside other data on host systems, increasing the risk of data loss. Virtual networks also add new layers of complexity due to the dynamic movements of virtual machines, as well as more workload interactions, administrative and user access points. This decreases virtual machine visibility.
The third area concerns hybrid environments. With quick provisioning and dynamically mobile workloads, these environments are incredibly susceptible to threats. Advanced security threats can deploy techniques such as drive-by downloads, zero-day vulnerability exploits and rootkits to attack virtual machines. Applications are also distributed across physical and virtual environments, resulting in many pieces of code across multiple platforms. Visibility is also lost in the complexity of adopting IT managed services and Infrastructure-as-a-Service outsourcing services
- Securing the promise of Virtualization
A Symantec/VMware Position Paper