Companies are cutting IT expertise and looking to savagely trim-back infrastructure costs. And virtualisation is usually the weapon of choice. But is a serious security breach now a real threat?

Well, IBM thinks so. And I agree. Given that “you can’t attack what you can’t see”,  PC-based servers flash like a tart on a drinking binge.

They all use Intel’s ubiquitous x86 processor or the AMD variant, but this cheap, one size fits all solution is weak and wide open to attack, unlike its bigger cousins.

IBM warns against virtualisation for any system holding critical regulatory compliant data. And that virtualised Intel x86-based systems are never used in a PCI DSS environment…

Intel’s chips a security gamble in Las Vegas

This year’s Las Vegas InterOp show has uncovered some disturbing home truths that I’ve long been shouting about. IBM’s x86 virtualisation security revelation is just one of them. So what’s the deal here?

Joshua Corman is the principle architect in IBM’s Internet Security Systems Division and a respected member of the security community, not a marketing man out to grab a sound bite. And he’ll make virtualisation players like VMWare and even Microsoft feel very uneasy.

His message couldn’t be clearer. “I highly recommend you don’t adopt virtualisation for any regulated project.”

Joshua also points out that the headlong rush to save costs at all costs risks losing far more than any perceived – or virtual gains. And piecemeal, token tweaks to improve security won’t work. Security needs to be a ground up, fundamental element.

What many don’t realise is that conventional patches against real threats like ConFlicker simply won’t work in a virtualised environment.

The dartboard analogy

Joshua asks us to regard a server as an “attack surface”, a target, if you like. So logically, the bigger the target, the more attractive it is to an attacker. Think of it as an attacker just having to hit the dartboard rather than the bullseye every time.

A virtualised server is a stall laid out with precious goodies, open to attack from all sides. To give VMWare credit, they’ve stripped back their key component, the Hypervisor, to an absolute bare minimum, mitigating the risk to the exposed attack surface. So good for them. But that actually creates another problem.

The VMWare “diet” cannot accommodate encryption, so things are processed insecurely. That’s bad. Really bad. Bad enough to make any compliance team get very nervous indeed. But this isn’t the half of it.

The existing PCI DSS regulations stipulate that a server should perform a single function. But don’t virtualised servers all run on the same platform?

That’s right, its one server pretending to be lots of virtual servers. Servers that aren’t there. But the risk is there and suddenly, its very real indeed.

But while deploying virtualised environments does reduce corporate security substantially, Joshua offers some ways to improve things, by choosing your virtualisation tools carefully.

Use bare-metal type 1 Hypervisors, never the free Type 2 ones intended for test and proof of concept environments. And one fundamental thing, so often ignored when carried along on virtualisation euphoria.

Never mix test and production environments, even if a virtualised server has the capacity. It doesn’t have the capacity to carry the risk.

I admire both Joshua’s courage for taking this stand and IBM for allowing him to do so. After all, building corporate data centres and system virtualisation is IBM’s core business. But does this signal something I’ve been pushing for?

Horses for courses

Wow, there’s another gambling metaphor. I must be on a roll. Whoops, there’s another one! I’ve suggested that the future of the Cloud and even large corporate data centres lies not in some virtualised, steroid-bloated PC server, but in bespoke systems, the cloud mainframe. And who better to do that than the mainframe building daddy of them all, IBM?