Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/4/2011
03:35 PM
Commentary
Commentary
Commentary
50%
50%

Hypervisor Security: Don't Trust, Verify

Combating vulnerabilities (and passing audits) is a matter of starting from the root and working up.

InformationWeek Green Virtualization Security Digital Issue- Mar. 7, 2011 InformationWeek Green
Download the InformationWeek March supplement on virtualization security , distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

VIrtualization Security

For years I've watched the delicate balance between enterprise IT groups and their security teams. Every now and then, there's a sea change in one area that gives rise to, let's say, passionate discussions. After attending last month's RSA conference, I feel one of those moments coming on, this time around production server virtualization. Specifically, we're talking about hardening the hypervisor--arguably one of the most important components of your virtual architecture.

What? Didn't think your CISO cared about hypervisors? Well, if he attended RSA, he does now. And if you have production VMs, you better get ready to prove they're secure. Don't expect your security team to just trust you.

Combating vulnerabilities (and passing audits) is a matter of starting from the root and working up. One option that impressed me at RSA is Intel's TXT (Trusted Execution Technology)--Intel's response to the Trusted Platform Module (TPM) specification published by the Trusted Computing Group and accepted as an ISO standard in 2009.

The foundation of this new trusted computing infrastructure is what's known as the "hardware root of trust," which establishes a bottoms-up security posture based on assuring the integrity of the VM kernel and loaded modules as they reside on disk and in memory. To take advantage, first make sure your server hardware supports TPM. Once you've verified that your gear has the correct processor extensions and supporting chipsets, it's just a matter of adding a small circuit board that plugs into a TPM slot on the server motherboard. After you enable TXT in the server BIOS that runs your host, you go through a process of generating the hash state that VMware ESXi, Xen, and other hypervisors will use during the boot process to detect unauthorized changes or whether malware has infiltrated the host operating system.

Moving up the stack, software vendor HyTrust offers a virtual appliance that can access the TXT status through the vSphere vCenter API and make decisions on controlling guest movement based on the classification status of the host server. HyTrust also offers network-based policy management for your virtual infrastructure that provides administrative access control, hypervisor hardening, and audit-quality logging to protect you from malicious, or sometimes just careless, insiders. Now when your security auditor asks for proof of hypervisor protection, you can go down your checklist: hardware root of trust (check), trusted virtualization environment (check), and security information and event management tools (check).

You're only going to increase your use of virtualization, so think in terms of evolving security. Evaluate where you are today and educate yourself as new hypervisor hardening options become available to ensure that you always stay a step ahead of the CISO--and the people after your data.

Schalk Theron is VP of security and operations for cloud services and ECM company SpringCM. Prior to joining SpringCM, Theron was at Washington Mutual, leading operational support for more than 50,000 users and a national network of more than 3,000 sites and multiple enterprise-class data centers supporting the award-winning Wamu.com. Write to us at [email protected].

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9016
PUBLISHED: 2020-02-16
Dolibarr 11.0 allows XSS via the joinfiles, topic, or code parameter, or the HTTP Referer header.
CVE-2020-9013
PUBLISHED: 2020-02-16
Arvato Skillpipe 3.0 allows attackers to bypass intended print restrictions by deleting <div id="watermark"> from the HTML source code.
CVE-2020-9007
PUBLISHED: 2020-02-16
Codoforum 4.8.8 allows self-XSS via the title of a new topic.
CVE-2020-9012
PUBLISHED: 2020-02-16
A cross-site scripting (XSS) vulnerability in the Import People functionality in Gluu Identity Configuration 4.0 allows remote attackers to inject arbitrary web script or HTML via the filename parameter.
CVE-2019-20456
PUBLISHED: 2020-02-16
Goverlan Reach Console before 9.50, Goverlan Reach Server before 3.50, and Goverlan Client Agent before 9.20.50 have an Untrusted Search Path that leads to Command Injection and Local Privilege Escalation via DLL hijacking.