Consumerization of IT–How to address this
Bring Your Own Device or Consumerization of IT are fairly hot themes in a lot of customer organizations. When I talk to customers, there are typically different reactions, once we bring this up. Some tell us, that it is not part of their strategy; some tell us that they plan to do it but that they have a hard time figuring out, how to secure such an environment; very, very ...
10 Years of Trustworthy Computing at Microsoft
Before joining Microsoft a little bit more than 10 years ago, I ran a team at PricewarehoureCoopers on e-Business Risk Management – classical security consulting in the Internet bubble time. When I announced that I will leave PwC and join Microsoft, I got interesting reactions (and remember, this was 2001). Mainly they were along two lines: Oh, you are joining a desktop company? ...
10 Reasons to migrate off Windows XP
I would like you to sit back, close your eyes and think about the year 2001. Think about how you used technology back then, how you used the Internet. Now, let’s take it a little bit further back in history and think of the year 2000. Just after we realized that the Year-2000-Problem was handled very well by the industry. How you used technology, how you used the Internet, the ...
Office 365 Becomes First and Only Major Cloud Productivity Service to Comply With Leading EU and U.S. Standards for Data Protection and Security
A long title but this was the title of the official press statement yesterday. Compliance is always a key question in the public cloud space. Therefore it is very important for us that we now achieved three things: Office 365 is compliant with EU Model Clauses, Data Processing Agreements and ISO 27001 among other standards. Office 365 is the first and only major ...
Security Risks of Virtualization By Roger Halbheer, on May 20th, 2008 One fact strikes me pretty often: Companies have the problem that they have legacy software running on legacy operating systems (e.g. NT4) running on legacy hardware. This is a severe problem as you all know. Now, these companies look into virtualization so solve this problem. From all the three “legacy” up there, only the hardware problem can be addressed by the use of virtualization – definitely not the OS and the application piece (obvious). Now, there are still a lot of people thinking that if they embed the legacy machine in a state-of-the-art virtual environment that the machine itself might be more secure. This can be true – if you do not connect it to the network. Otherwise, the OS and the application are as vulnerable as before.
This is all clear and in the meantime known to a lot of people. Virtualization gives us a lot. I think, it is a great technology to address quite some challenges (especially the challenge of having servers that are mainly “idlein” in the computer room) – but it does not address the challenge above. On the contrary, it adds additional risks.
I just read a very good article on that on Information Week: Virtualization Has A Security Blind Spot. In there, they mention five laws published by Burton Group:
- All existing OS-level attacks work in the exact same way.
- The hypervisor attack surface is additive to a system’s risk profile.
- Separating functionality and/or content into virtual machines (VM) will reduce risk.
- Aggregating functions and resources onto a physical platform will increase risk.
- A system containing a “trusted” VM on an “untrusted” host has a higher risk level than a system containing a “trusted” host with an “untrusted” VM.
So, manage the risks and have fun with virtualization!
Roger
Related posts:
- Security Risks of VoIP
- 8 Dirty Secrets Of The Security Industry
- The ideal profile of a CSO
Leave a Reply
|
|
|
