As I have discussed, x86 hardware virtualization creates a new IT platform that must be securely maintained (e.g. patch, configuration and vulnerability management) like any other IT platform we are responsible for. This layer is extremely sensitive as a compromise of this layer puts all of the hosted VMs at risk.
What’s really interesting is that the intersection of these two — the use of whitelisting in the virtualization layer/platform itself to control what applications are allowed (or not allowed) to execute in this critical layer.
With VMware’s ESX, this is an issue in the Linux-based service console (which can run compatible Linux applications). It is a much more serious issue with Microsoft’s Hyper-V parent partition architecture based on Windows Server 2008 “core” and Xen’s Dom0 based on Linux. With Hyper-V and Xen, a failure or compromise of the parent partition puts all of the child VMs at risk.
From a security perspective, thinner is always better, so ideally we wouldn’t run any additional software in the parent/Dom0 partition. Sounds like a perfect application of application whitelisting, doesn’t it? And, since we don’t have pesky end-users downloading and executing arbitrary code at this layer (or browsers, or email, or …), it makes the approach of whitelisting much, much easier to apply.
As I discussed in a comment on this post, we should expect our IT platform vendors to provide whitelisting capabilities built into the platforms they sell us. Likewise, basic whitelisting capabilities should be built into our virtualization platforms and should not require that we install an additional agent to achieve this.
(virtualization platform providers, repeat after me: agents at the hypervisor/VMM layer are a bad thing, agents at the hypervisor/VMM layer are a bad thing)
However, none of the virtualization platform vendors that I am aware of provides application control as a standard built-in capability (yet). This is another no-brainer that I would expect to appear as a standard capability in virtualization platform solutions within the next 12-24 months.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.