There has been a marked increase in the use of full virtualization produces and services, due to its ability to significantly increase operational efficiency. This article takes a look at full virtualization, its advantages and its security concerns.
What is full virtualization?
There are various forms of virtualization and they are distinguishable mainly by computing architecture layer. With full virtualization, one or more OSs and the applications they contain are run on top of virtual hardware. Each OS instance and its applications run in a separate VM known as a guest operating system.
Guest OSs are located on a host and managed by the hypervisor, which controls the flow of instructions between the guest Oss and the physical hardware (e.g. CPU, disk storage, memory, network interface cards, etc.). Hypervisors can partition system resources and isolate the guest OSs so that each only has access to its own resources, as well as potential access to shared resources, for instance, files located on the host OS. Each guest OS can be totally encapsulated, thus making it portable. Finally, some hypervisors are able to run on top of another OS, referred to as the host operating system.
According to VMware, “Full virtualization offers the best isolation and security for virtual machines, and simplifies migration and portability as the same guest OS instance can run virtualized or on native hardware.”
There are two types of full virtualization: bare metal virtualization (aka native virtualization) and hosted virtualization. With bare metal virtualization, the hypervisor runs directly on the underlying hardware, without a host OS. In fact, the hypervisor can be built into the computer’s firmware. With hosted virtualization, the hypervisor runs on top of the host OS. The host OS can be any common operating system (e.g. Windows, Linux, or MacOS).
Why use full virtualization?
The marked increase in the use of full virtualization products and services is triggered by the many advantages it offers. One of the most common reasons for implementing a full virtualization solution is for operational efficiency. It allows organizations to use existing hardware more efficiently by placing a greater load on each computer. This means that servers using full virtualization can use more of the computer’s processing and memory resources than servers running a single OS instance and a single set of services.
Another reason to use full virtualization is to facilitate desktop virtualization, in which a single PC runs more than one OS instance. There are a number of reasons to do so. This can offer support for applications that only run on a particular OS. It can also allow changes to be made to an OS and later on, revert to the original if necessary. Desktop virtualization has also proven to support better control of OSs, in order to ensure that they meet basic security requirements.
Desktop virtualization also enables the use of applications that run on older versions of an OS, when the user’s desktop is running a newer version. This allows for the continuity of applications as the OSs advance faster than the applications that run on them.
What’s the downside?
Despite the advantages offered by full virtualization, this option does come with a few negative security implications. These are briefly discussed below:
- Adds layers of technology, which increase the security management burden as it requires additional security controls.
- Combining a number of systems onto a single physical computer causes a larger impact, should a security compromise occur.
- It’s relatively easy to share information between virtualization systems, which can facilitate attack vectors, if not carefully controlled or regulated.
- The dynamic aspect of virtualized environments renders creating and maintaining the necessary security boundaries more complex.
Full Virtualization Security
Ultimately, the security of a full virtualization set up is dependent on the individual security of each of the components that comprise it (i.e. hypervisor, host computer, host OS, guest OSs, applications and storage). Organizations should ensure that all these elements are secure and their security should be founded on sound security practices. These practices would include:
- Restricting access to administrative interfaces
- Keeping software up-to-date with security patches
- Using secure configuration baselines
- Performing monitoring and analysis of logs at all layers of the solution
- Using host-based firewalls, antivirus software or other appropriate mechanisms that would detect, prevent or halt attacks
This article takes a look at full virtualization solutions. With full virtualization, one or more OSs and the applications they contain are run on top of virtual hardware. Each OS instance and its applications run in a separate VM known as a guest operating system. The article briefly introduces two types of full virtualization: bare metal virtualization (native virtualization) and hosted virtualization. It also lists some advantages and security challenges involved with this type of virtualization.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Virtual machine security features (Domain 13)
- VM attack services (Domain 13)
- Compartmentalization of VMs (Domain 13)