With its potential to reduce expenses, drive automation and provide flexibility, virtualization has earned its way onto the board agenda and is being implemented by enterprises worldwide. But with the many benefits of virtualization come considerable risks.
Virtualization risks can be divided into three groups:
Attacks on virtualization infrastructure – The two primary types are hyperjacking and virtual machine (VM) jumping. Hyperjacking is still a theoretical attack scenario, but has earned significant attention because of the major damage it can potentially cause.
Attacks on virtualization features – The more common targets include VM migration and virtual networking functions.
Compliance and management challenges – The number and types of VM can easily get out of hand; VM sprawl and dormant VMs make it a challenge to get accurate results from vulnerability assessments, patching/updates and auditing.
To combat these risks, ISACA recommends the following:
1. Patch and harden the hypervisor and the guests it supports.
2. Use physical, network and virtualization-based separation to segment VMs and systems.
3. Use transport encryption to secure VM migration.
4. Implement virtualization-aware management products and services.
ISACA provides a look at virtualization and strategies to help enterprises maximize the value in a new free white paper available here.