Confronting Virtualization's Security Challenges
Many organizations including government agencies have migrated physical hardware into the virtual environment, addressing new technical challenges and demonstrating clear return on investment. While there are many clear costs and efficiency benefits to virtualization, take a closer look you'll see that the technology raises a number of key security issues that need to be addressed. One area that I have been focused on lately is how to recover lost or corrupted data that is stored within enterprise virtual data stores. The challenge with virtualization is that it is relatively new, and consequently, resources and know-how on virtual disk forensics, recovery and analysis are limited.
The key is to be prepared. When responding to an incident, a tremendous amount of time is wasted trying to figure out the basics: Who has the data we need? Where is the data kept? What's the fastest way to pull the data? How much is there? Do we have the means to examine the data? Have we defined a sound and defensible process to perform the required action?
The key is to be prepared. When responding to an incident, a tremendous amount of time is wasted trying to figure out the basics.
These concerns are not limited to virtual environments, either; cloud computing platforms need to demonstrate how they meet consensus standards for data recovery and acquisition. If you host data or applications in a production virtual or cloud environment, and are unsure of how prepared you are to handle a data loss or incident involving virtual data, take a few moments to ask yourself the following questions:
1. If you suffered a catastrophic loss of data, how would you go about restoring the lost information? You probably would say you have backups to restore the data, but are you sure? It's always best to follow the adage "Trust, but verify" when it comes to backups. Make sure you can restore some useful, valid data, and you know where to go to get the information. If you use VMWare, you may have some additional tools at your disposal. Its VMDK Recovery Tool may help recover virtual data or restore content in the event of file system corruption, but this utility needs to be in-place before an incident. Remember that virtualization is a young technology and you should strongly consider any reasonable means to protect critical data stored in a virtual environment.
2. Are your incident response staff prepared to work with virtual disk data? Many of the major commercial forensic tools provide support for virtual disk formats, but don't provide features to support recovery from badly corrupted virtual disks. In this case, you'll need to depend on technical staff who really understand the nuts and bolts of file systems to piece together corrupted virtual data. Virtual data storage technology and terminology can be confusing; your team should know where to go to retrieve the data and be familiar with the toolsets and processes used to conduct an analysis of virtual data. Practice is key. Understanding the performance and response bottlenecks will only be apparent when training or responding to an actual incident.
3. How would you extract data to support an investigation or legal/compliance request? This is a serious consideration for data that may be hosted on an external cloud. Has your service provider furnished any documentation or contract language that illustrate how they will respond to an incident, legal inquiry or investigation? What guarantees are there that your provider will respond to requests in a timely manner? Where is the data stored, and are there any unique legal issues that need to be ironed out before an agreement is in place? Example: in an earlier post, I mentioned a Google routing glitch that ended up causing traffic to be incorrectly routed through Asia. Imagine the legal and jurisdictional issues if critical data needed for a restoration were archived or stored across international boundaries, even if it were accidental.
There are many clear advantages to virtualizing infrastructure. The challenge lies in making sure that you're not sacrificing security in the process.
Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.