IBM: information security is being virtually ignored

Companies are cutting IT expertise and looking to savagely trim-back infrastructure costs. And virtualisation, with its promise of lower hardware costs is usually the weapon of choice. However, could all this paring back taking us closer to a serious security breach?

Well, IBM certainly thinks so. And I agree. Given that “you can’t attack what you can’t see”, PC-based servers flash like a tart on a drinking binge.

They all use Intel’s ubiquitous x86 processor or the AMD variant, but this cheap, one size fits all solution is weak and wide open to attack, unlike its bigger cousins.

IBM warns against virtualisation for any system holding critical regulatory compliant data. Especially virtualised Intel x86-based systems used in PCI DSS environments…

Intel’s chips a security gamble in Las Vegas

This year’s Las Vegas InterOp show has uncovered some disturbing home truths that I’ve long been shouting about. IBM’s x86 virtualisation security revelation is just one of them. Exactly what is the deal here?

Joshua Corman is the principle architect in IBM’s Internet Security Systems Division and a respected member of the security community, not a marketing man out to grab a sound bite. And he’ll make virtualisation players like VMWare and even Microsoft feel very uneasy.

And his message to the banking, financial and regulated community couldn’t be clearer.

“I highly recommend you don’t adopt virtualisation for any regulated project.”

Joshua points out that the headlong rush to save costs at all costs risks losing far more than any perceived – or virtual gains. And normal piecemeal, token security tweaks won’t work. Security needs to be a ground up, fundamental element.

What many don’t realise is that conventional patches against real threats like ConFlicker simply won’t work in a virtualised environment.

The dartboard analogy

Joshua asks us to regard a server as an “attack surface”, a target, if you like. So logically, the bigger the target, the more attractive it is to an attacker. Think of it as an attacker just having to hit the dartboard rather than the bullseye every time.

A virtualised server is a stall laid out with precious goodies, open to attack from all sides. To give VMWare credit, they’ve stripped back their key component, the Hypervisor, to an absolute bare minimum, mitigating the risk to the exposed attack surface. So good for them. Ironically, that actually creates another problem.

The VMWare “diet” cannot accommodate encryption, so things are processed insecurely. That’s bad. Really bad. Bad enough to make any compliance team very nervous indeed. But this isn’t the half of it.

The existing PCI DSS regulations stipulate that a server should perform a single function. Wait a moment, don’t virtualised servers all run on the same platform?

That’s right, its one server pretending to be lots of virtual servers. Servers that aren’t there. Unfortunately, the risk is there and suddenly, its very real indeed.

But while deploying virtualised environments does reduce corporate security substantially, Joshua offers some ways to improve things, by choosing your virtualisation tools carefully.

Use bare-metal type 1 Hypervisors, never the free Type 2 ones intended for test and proof of concept environments. And one fundamental thing, so often ignored when carried along on virtualisation euphoria.

Never mix test and production environments, even if a virtualised server has the capacity. Because it doesn’t have the capacity to carry the risk.

I admire both Joshua’s courage for taking this stand and IBM for allowing him to do so. After all, building corporate data centres and PC system virtualisation is IBM’s core business. Does this signal the move away from virtualisation I’ve been pushing for?

Horses for courses

Wow, there’s another gambling metaphor. I must be on a roll. Whoops, there’s another one! I’ve suggested that the future of the Cloud and even large corporate data centres lies not in some virtualised, steroid-bloated PC server, but in bespoke systems, the cloud mainframe. And who better to do that than the mainframe building daddy of them all, IBM?