Q&A: Security in a Virtualized Environment

How are IT organizations responding to the new security challenges of administrative privileges in a virtualized environment?

Security vulnerabilities from outside the enterprise may grab the headlines, but the leading security breaches come from inside an organization. At the center of security administration are privileges -- and who has access to the account of all management accounts -- the administrator. We spoke to Jeff Nielsen, vice president of engineering at BeyondTrust, to learn more about how admin privileges take on new importance in a virtualized environment.

Enterprise Strategies: What are administrative privileges? Who gets them and what do they control?

Jeff Nielsen: Administrative privileges are the accounts on servers, devices, operating systems, desktops, or applications that allow access to change core settings or install applications. For IT administrators, admin privileges are granted through privileged accounts such as root access on Unix or Linux machines, administrator-level access to Windows and Active Directory systems, sys and system on Oracle databases, and similar accounts on other operating systems, devices, and applications.

Admin privileges don’t partake in the same share of the limelight as hackers or insiders, but a majority of major breaches are somehow tied to administrative privileges. The Google breach involved a compromised desktop in China where a user was lured to a contaminated Web site that installed malware that gave the malware developers access, through a series of privileged connections, to Google’s crown jewels, the Gaia single sign-on system. If the user didn’t have admin privileges, the malware attack wouldn’t have been able to succeed.

One of the most pronounced challenges of privileged accounts is that they are typically shared across multiple administrators in an organization, making it difficult to establish a proper audit trail. There’s an old joke about who reconfigured a machine: “Root did it.” Unless an organization has visibility into who can access a machine using a privileged account, and what they did while they were logged in, they don’t have a defendable audit trail.

How are these admin privileges different with virtualization?

The admin privileges themselves aren’t that much different, but the volume, complexity, and level of access in administrative privileges grows exponentially. Just like desktops, servers, or devices are all a little different, virtualization introduces the hypervisor, which is a new surface that needs to be protected as well. The hypervisor is particularly vulnerable because a single hypervisor has control over so many applications and servers.

Virtualization also lends itself to a larger volume of operating systems due to the proliferation of virtual hosts and virtual sprawl. Although some of the increase in the number of hosts may be due to poor planning, often the increase is driven by good practice, such as better separation of data and/or application ownership, as well as application-specific virtual machines that facilitate rapid scale up and down.

According to one study, in virtualized environments, a typical hardware server has 11 virtual machines running on it. As the number of hosts increases in an organization, and as the number of active hosts may scale up or down quickly based on business needs, the need for strong identity management and privileged access practice becomes increasingly important.

The cloud takes it up another notch. A cloud environment makes prolific use of virtualization, and it usually implies cloud vendors that are offering SaaS solutions are doing so as well. The company may have 50 IT staff with admin access, but if they have four cloud vendors who each have 100 staff, the number of people with admin access to parts of the network just increased eight-fold. Additionally, most cloud vendors don’t follow best practices in managing administrative access and most companies don’t check (or even ask them to). When it only takes one motivated IT admin to wreak catastrophic damage and you have hundreds of people with access at companies that aren’t your own, and you don’t have a strong access control process with a defendable audit trail, that’s pretty scary.

Tell me about the survey you took at VMWorld that really hit these issues home. What did the survey reveal?

It was a small, informal survey, but the results were overwhelming. We surveyed 57 VMWorld attendees. You can see the highlights on our blog, but in a nutshell the willingness to express motive and capability to rob the company of data was shocking even for us.

About a third of respondents believed their colleagues would leak data to a competitor for $20 million and another third said their colleagues could do it if they wanted to. The people we surveyed were immediately aware of the issue we were getting at and many boasted that $20 million was a paltry sum for the data they had access to.

A long time ago, when I was working with the government, I went through security training. They taught us that attackers look for insiders that have personal issues of some sort, because they’re easier to exploit. Although most IT professionals carry high standards of ethics and behavior, some might be tempted to make a bad decision if it would lead to a payoff that helped their sick child or allowed them to keep their house. Good people can be forced by events into making bad decisions. In these cases, the $20 million price tag may come down -- way down.

Almost every respondent had virtualized at least some of their mission-critical servers. Consider that the combination of more hosts holding valuable data, additional attack surfaces that occur in virtualized and cloud environments, and the potential that one administrator out of a large group might be compromised increases your odds of a successful attack. Proper diligence in virtualized and cloud environments is definitely called for.

Do you have specific examples of vulnerabilities in a virtual environment?

Sure. Windows 7 offers a really clear example, because by default users have a virtual Windows XP operating system installed that’s used to run applications that aren’t compatible with Windows 7. What happens is users have administrative privileges removed on Windows 7, but the XP virtual machine has admin privileges by default. If someone doesn’t also remove admin rights on the XP virtual machine, the user can install (possibly unknowingly) malware, disable antivirus, or change configurations that will inevitably create security holes or create a virus/botnet distribution point. This will also put a burden on the help desk due to the resulting computer problems.

In servers, the hypervisor is the most clear and common vulnerability. We have a demonstration of the vulnerability on our YouTube channel and it just takes five minutes for an administrator to use the hypervisor to gain unlimited, unmonitored access to copious data volumes. Literally, all they have to do is make a copy of a disk device and mount it to the hypervisor OS. Then they’ve circumvented all the host-based monitoring and control tools in place, unless the organization has made a special effort to protect themselves. VMWare made an announcement at VMWorld this year that makes this more challenging to execute, but it’s still very easy on most hypervisors installed at customer sites.

How are IT organizations responding to these issues? What is the awareness level amongst corporations?

Everybody knows that there are new security concerns with the cloud and virtualization. Numerous surveys of bankers, developers, security teams, etc. show security as the top concern for the cloud and the number one reason for hesitation. Despite this, security teams often aren’t involved in the decision-making process, budgets are often slashed, and established best practices are often lost in the transition.

Virtualization is quite a bit older and organizations have more trust in it, but that trust is often misplaced. I think companies know, but they often just shove their concerns under the rug for another day. The cost benefits of virtualization are so attractive, organizations don’t want to ruin that by spending on security.

How would you suggest organizations shift their budgeting priorities?

I think the main thing that goes wrong with budgeting, is that people are making massive consolidations in hardware, so they think that means the security budget should match. Often the transition to virtualization might cut hardware costs in half, but the security budget actually needs to go up in order to protect all these new layers of software and the growing volume of operating systems. I’m afraid that security is getting cut back and companies are setting themselves up to get burned.

What role does BeyondTrust play in managing privileges?

Whether it’s a desktop, server, device, application, or hypervisor, chances are the standard software has an “all or nothing” approach to administrative privileges. Having unlimited administrative access -- such as a shared root account – is just inappropriate. It creates no accountability, no way of determining if an admin has stolen data and nothing to prevent hackers from lulling employees into installing malware or preventing desktop users from mis-configuring their desktop.

On the flip side, going into total lockdown, you’re also locking down productivity.

Whether it’s the hypervisor, Linux servers, desktops or devices, BeyondTrust gives companies a very detailed level of control over the conditions in which people have administrative privileges. For servers, our software logs everything the IT staff does and breaks down access to the privileged accounts (i.e., root) into individual audit sessions for each person. On desktops we can remove administrative privileges and manage them centrally, while elevating privileges based on approved applications, network connectivity, you name it.