FOI, in a study commissioned by the Armed Forces, has investigated the risks involved in so-called virtualized IT systems. Used properly, they present major advantages, but they also require careful risk assessment.
A virtual computer, simply speaking, is a computer program that behaves like a physical computer. It makes it possible to install several virtual computers in the same physical machine, which saves computer costs. Dozens of physical servers can in practice often be replaced by just one machine, by means of virtualization.
“The advantages are obvious. Virtualization of IT systems entails simplifying and improving operations, for example by balancing the use of different virtual servers. It even simplifies replacement of defective hardware,” says Daniel Eidenskog, researcher in the C4ISR Division (Command, Control, Communications, Intelligence, Surveillance and Reconnaissance Division), in Linköping.
Along with Martin Karresand, another researcher at the C4ISR Division, he wrote the report, Risker med virtualisering av IT-system [Risks in the virtualization of IT systems], which was commissioned by the Armed Forces.
The technology has not only advantages, of course.
“Regarding classified information, there is greater risk in combining systems in the same physical machine than in separating them in different physical computers. There is a greater risk of information leakage between the virtual environments. In other cases, other requirements than those of classified information have priority, such as when ensuring the authenticity of logins and access to authorization databases.”
In addition to the classic security requirements, of secrecy, correctness, and access, Daniel Eidenskog wishes to add several other aspects, such as traceability and usefulness.
“The level of specification of requirements must be based on a combination of rules and regulations and operational requirements. Risk assessment must consider the whole picture,” he says.
Even if virtualization entails certain kinds of risks, it is also able to deal with others. Daniel Eidenskog illustrates: In those cases where accessibility weighs more heavily than the information security classification, a virtualized system can be preferable. However, the advantages always need to be balanced against the disadvantages.
“The risk that a successful attack has broader consequences is generally greater in virtualized environments than in environments constructed in physically separate machines,” relates Daniel Eidenskog.
In certain cases, it is conceivable that the risk is acceptable, based on the advantages gained through virtualization. One must consider the net effect of the system.
“The conclusion is that virtualization is a powerful tool if used in the right way. Using it wrongly can expose one to major risk.”
The study is based on a literature review of surveys of vulnerabilities in virtualization software.
Among other things, the authors indicate four areas that influence risk:
1) virtualized environments typically include all vulnerabilities present in the corresponding physical environments;
2) to create the virtualization environment, the technology requires the addition of software that in turn may introduce new vulnerabilities;
3) the use of software to create virtualized systems by separating the virtual machines entails greater risk of information leakage;
4) virtualization technology often also entails changing the administration of the system, which may also change the risk assessment.