Have you ever thought about how secure your servers are “in the cloud”? Well, the good news is that servers in the cloud, or even virtualized within your own infrastructure on-premises cloud, are likely to be more secure than those on bare metal.
Don’t take this as a green light to disregard security on your virtual servers, but more of an indication that these systems have a better starting point than their non-virtualized counterparts.
First of all, when I am talking about virtualized servers, I am referring to para-virtual (PV) systems. Fully virtualized systems don’t have the same starting level of security. It is often a misunderstanding that FULL virtualization is better, but in reality, a fully virtualized system is not aware of the virtualization in any way shape or form. This means that your virtual server will need to boot to some form of emulated BIOS provided by the hypervisor. Booting to the BIOS is a bad thing because the BIOS will give access to the boot menu, where we can select to the network or USB and so on, gaining access to the file-system. Virtual machines do not need a BIOS as they are not real systems. Para-virtual systems, on the other hand, are aware of the virtualization environment and won’t start with a BIOS screen. This not only means a faster start but the first security hole of physical access to a server, the BIOS, is mitigated.
Para-virtualization of your servers also means streamlining the drivers. Those drivers used to access the virtual-hardware are designed for virtual devices, not physical devices. On many Linux systems that are para-virtualized the first hard drive will be VDA (Virtual Drive A) rather than SDA (SCSI Drive A).This is not solely a nomenclature process. Using the driver designed to write to virtual disks provides a major overall improvement and speed boost because you are writing disk files rather than writing to a hardware disk that needs housekeeping performed after the writes.
Para-virtual GRUB (PV-GRUB) is another feature of virtual systems ensuring that the normal boot-loader is bypassed. The GRUB boot-loader will load the Linux kernel, but alterations to the Kernel boot parameters can be used to disable security features such as SELinux or reset passwords. Once again, your PV servers come out winning in the security stakes.
When you also encompass server availability within your security blanket we continue to win big time. Using clusters of virtualization hosts we can migrate running virtual systems to nodes that are best suited to executing the workload at the given time. This keeps your systems running effectively with minimal use of hardware.
Don’t just think of your virtual servers as convenient, look at them as the new starting point for security. You can learn more about this topic by watching our Linux security and server hardening course, available in the All Access Pass.