Source: “Auditing Security Risks in Virtual IT Systems “ - Abhik Chaudhuri, MCA, PMP, SH (Basie) von Solms, and Dipanwita Chaudhuri, ACA (ICAI), MIIA; Isaca – vol 1 – 2011
Virtualization in a distributed environment is the basis for grid computing & cloud computing – supplying computing infrastructure as a utility, on-demand service. It can be applied to O/Ss, desktops, applications, storage (SAN) and networks.What is Virtualization?
Virtualization S/W – Virtual Machine Monitor (VMM) or Hypervisor sits on native O/S. This plays the role of a resource manager that enables sharing of processing power & memory. This virtualizes the H/W of the physical machine & partitions it into multiple, logically separate VMs.
Components of Virtualization
· Physical hardware or virtualisation host—Physical machine on which the VM environments reside. The number of VMs that can be supported on a single physical machine depends on the hardware configuration and specifications.
· Host operating system—Primary OS on the physical machine. The virtualisation layer resides on this OS.
· Virtualisation layer—Virtualisation software that co-ordinates with the host OSs for requests from VMs regarding CPU time, physical memory, disk read and write, network input/output (I/O), etc. The virtualisation software is called hypervisor and it plays an important role in virtualisation technology. It intercepts the hardware resource requests from the virtual machines that reside on it and translates the requests to a format that can be understood by the physical hardware. Similarly, the requests from the physical hardware are translated by the hypervisor so that the virtual machines can understand. The hypervisor decouples the VMs from the physical hosts by introducing a layer of abstraction between the VMs and the physical hardware layer.
· Not all virtualisation solutions leverage a hypervisor. Some of the virtualisation products that make use of a hypervisor are VMware ESX and Virtual Infrastructure, Microsoft Hyper-V, and Citrix XenSource.
· Virtual machine—Independent and isolated environment created by the virtualisation software. OSs can run VMs independent of each other.
· Guest operating systems—The OSs installed on VMs. These run on the host OS. Virtualisation technology allows multiple VMs with heterogeneous guest OSs to run in isolation, side by side on the same physical machine. The VMs have their own virtual hardware (e.g., CPU, RAM, disks, network cards) on which the guest OSs and applications are loaded. The guest OSs perform consistently, irrespective of the physical components.
Types of Virtualization:
· Storage virtualisation—Virtualises the physical storage from multiple network storage devices so that they appear to be a single storage device. In general, ‘virtualization’ refers to server virtualization.
· Network virtualization—Combines computing resources in a network by splitting the available bandwidth into independent channels that can be assigned to a particular server or device in real time
· Server virtualization—Hides the physical nature of server resources, including the number and identity of individual servers, processors and OSs from the software running on them.
Benefits of Virtualization:
· Improving IT service agility
· Reduces the infrastructure cost of ownership by decreasing the total number of physical servers; therefore, operating expenses go down dramatically.
· It expedites the server provisioning procedure
· Improves capacity management.
· IT efficiency is increased due to shared CPU processing capacity and effective storage utilisation. VMs are capable of running different OSs and have several benefits such as encapsulation, isolation and partitioning.
· VMs are encapsulated into files, which make it possible to :
o rapidly save, copy and provision the VM.
o Fully configured systems, applications, OSs and virtual hardware may be moved within seconds from one physical server to another, for zero-downtime maintenance and continuous workload consolidation.
· VMs are completely isolated from the host machine and other VMs. If a VM crashes, all others are unaffected.
· Data do not leak across VMs, and applications can communicate over configured network connections only.
· It allows for partitioning multiple applications and supporting multiple OSs within a single physical system. Servers can be consolidated into VMs on either a scale-up or scale-out architecture, and computing resources can be treated as a uniform pool that is allocated to VMs in a controlled manner.
· Effective segregation of duties, simulation support with multiple versions of the same or different OSs, more continuity options and expansion of the test environment.
· Some big organisations have embraced virtualisation to increase business resiliency to support disaster recovery (DR) and business continuity.
Benefits from a security point of view:
· Better forensic capabilities
· Faster recovery after an attack
· Safer and more effective patching
· Better control over desktop resources
· More cost-effective security devices
