In a piece published yesterday, Dan Goodin reported on the vulnerabilities between virtual machines stored on the same piece of hardware. The article discusses research done by John Hopkins University professor Matthew Green, who says although difficult to do, the vulnerability is not to be overlooked.
Looking out into the managed services and cloud provider landscape, it’s hard not to see some troubling trends around positioning of shared resources and security. Companies handling proprietary information, be it personal financial information, credit card numbers, health records or anything else deemed confidential or requiring compliance have been long cautioned to avoid relying on the public cloud for anything that has compliance needs.
What this has always come down to is hypervisor security in multi-tenant environments. Regardless of what public cloud vendors are saying, whether they’re saying that it’s compliant because they don’t touch it, or that it’s compliant because of services they are rolling into their cloud. The bottom line is that no multi-tenant environment can ever be secure beyond a shadow of a doubt. Yes the attacks need to be far more sophisticated than they need to be, but that doesn’t mean that attacks can’t happen.
This article is a clear indication of those out there that are trying to accelerate access to knowledge of what it takes to expose vulnerabilities in hypervisors. Hypervisors and virtual machines are not and never will be impervious, just like any piece of man-made equipment, to attack or influence.
The solution? Well don’t abandon virtualization; far from it in fact. Embrace it: It’s a viable, cost-reducing tool that helps increase your time to deployment. Use it appropriately. If you have a service that has to be highly secure, take appropriate measures and analyze the risk. Does the data warrant being on a dedicated device that’s not virtualized, not connected to other machines, that is “air gapped?” Do all those conditions need to exist to be secure? Probably not, but its best to always take real precautions. Don’t store the private key in your virtual machine. Use some other method to decrypt data. Store it on a USB key that can connect and disconnect from your virtual environment. Use private cloud technology rather than public cloud. Or even let it reside in a physical machine.
Bottom line is that you need to take real security measures where your data is concerned. No cloud vendor saying the public cloud can do this for you is telling the truth. Use private clouds, dedicated servers, use key measures that don’t store the key with private data (store it on read only mediums such as optical disk, locked USB keys, HASPs etc.). Nothing you can do will mitigate your risk 100%. Public cloud is a great tool when used properly. Compliance in the public cloud is a great idea, but it needs to stay at that idea level.
Part of mitigating risk, in terms of both security and compliance, is working with a cloud or managed service provider who not only understands the ins and outs of the available technologies and best practices associated with security, but who also can frame their solutions against your business strategy to ensure that you can properly balance functionality and agility with robust security.
By Jake Gardner