Monday, October 24, 2016

VMware Virtual Machine Virtual Disk Security


Last week, during VMworld 2016 Europe, VMware announces the latest release of vSphere 6.5. You can check this, amongst other things being announced, on this press release. One area of improvement for vSphere 6.5 is in virtual infrastructure security which you can read here. What interests me related to the new security features is VM encryption, as some customers which I met asked about this capability. So I dug out an old post which originally was a personal notes I wrote back in 2014 about some points of discussion regarding virtual disk security, and modify it to be relevant with the recent announcement. 

OK, let's understand the problem first. Remember one of the characteristic of virtualisation? Encapsulation. In other word, VM basically is only a set of files. If those files happened to be walked out the door, then people can mount it up, extract the files/information, or even have the VM up and running. Check this article if you want to get the idea on how that could be done.

You might say that if that situation happened, that means that company not applying a good security policy, and if that is the case, anything can happened, even in non virtualise world. Well you got that right, but let's see what we can do to prevent that situation, how VMware able to cater this situation, how VMware can make sure that if virtual disk leakage happened, the person who have it could not take advantage from it.

Before talking about how to secure the virtual disk, let's understand about the area of attack, where data leakage could happened.

Area of attack:
  • Guest OS level
  • Host level
  • Storage level
  • Network (data on the move)
For now, we will only discuss the first 3 area of attack, which are considered data at rest leakage.
On my "so called" research about this topic, I found data at rest leakage explained nicely in this articleIn short, we can protect data at rest leakage by doing encryption at the level of storage, host, or guest OS. The following table, which I took from the aforementioned article summarise the protection that we get by doing encryption at each level.

Table source: http://www.v-front.de/2014/08/do-you-need-disk-encryption-for-hosted.html

From the above table we can see that encryption at storage level will only protect against lost of physical disks. We can also see on that table that if the guest OS is compromised, then all solution will have no use to protect from data leakage.

OK, now we understand that vSphere 6.5 feature VM encryption will protect us on the level of host OS. Long story short, I/O coming from VM will be encrypted by ESXi and stored securely on the storage level. An external Key Management system is required by vSphere to manage the encryption key. If someone able to compromise the storage, and/or host OS (but without access to decrypt privilege) and take out VM's virtual disk, he/she will not be able to extract the data since it is encrypted. Of course another security practice should be performed to ensure the user with encrypt/decrypt privilege not fall into the wrong hand.

As you might now see, this security thing is not simple. VM encryption will add a layer of protection, but there are a lot of other areas of attack that we also should take care. Let me know what you think about this. Any feedback is welcome. Thanks.

No comments:

Post a Comment