Section 10.1 Methods
Information Technology has seen massive growth in the adoption of virtualization as the underpinning of dynamic and robust systems. This shift from bare-metal resources to virtual resources provides its own unique security challenges and considerations. As the field changes, it is important for anyone working in cybersecurity to not only understand how these systems work, but also be able to approach their implementation with a security-first mindset.
Virtualization is the act of using virtual computing resources as opposed to the actual resources directly. For example, you may run a program on a virtual version of a computer, emulating the processor, memory, etc., instead of running the program directly on the actual hardware. This offers some advantages in that you can limit the resources the program uses or run multiple programs in isolated environments without needing to significantly change the program itself. There are a few ways that virtual computing is typically accomplished:
Subsection 10.1.1 Virtual Machines
The diagram presents a side-by-side comparison of two deployment models: "Virtual Machine Deployment" on the left and "Container Deployment" on the right. Both models start with "Actual Hardware (bare metal)" at the base.
The "Virtual Machine Deployment" model shows a stack beginning with Actual Hardware, then a Host OS (comprising an OS Kernel and OS Userspace), followed by VM Software (hypervisor). Above this, a Guest OS (with its own OS Kernel and OS Userspace) is depicted, which in turn runs the Application.
The "Container Deployment" model also starts with Actual Hardware and a Host OS (including an OS Kernel and OS Userspace). However, it then shows a Container Runtime directly above the Host OS, upon which the Application runs. This model does not include a separate Guest OS kernel.
Arrows indicate the layered dependencies in each model, illustrating that Virtual Machines include a full Guest OS, while Containers share the Host OS kernel and run applications via a Container Runtime.
A virtual machine is a resource that uses software to pretend to be an entire physical computer. Virtual machines emulate hardware on which a guest operating system is installed. The operating system of the machine running the virtual machine is referred to as the host operating system.
Virtual machines afford a great deal of flexibility in how something is run. The machine can be paused, restarted, or even have snapshots of its current state stored. Some virtual machines do not even required elevated privileges to run, meaning you can emulate a privileged environment within an unprivileged one. This makes them a great choice for sandboxing untrusted programs.
Unfortunately virtual machines are quite resource intensive due to the fact they require virtualizing the entire operating system. This resource use problem and the increasing popularity of virtualization led to the creation of more light-weight solutions such as containers.
Subsection 10.1.2 Containers
A container simplifies the VM by using the same operating system kernel as the host. This is accomplished by using special features of the Linux kernel to isolate the container. Linux namespaces controlled by cgroups allow a daemon (Docker, podman, etc.) to make an environment where the application has limited access to the full system. Typically containers are used to run a single application as if it were running all by itself on an actual host. This makes it easier to deploy the unique environments that some applications require.
1
man7.org/linux/man-pages/man7/namespaces.7.html2
man7.org/linux/man-pages/man7/cgroups.7.htmlThe obvious security concern lies in the isolation. What happens if a container has access to another containers resources? Given that containers for rival companies may be running next to each other on the same machine in the cloud, what are the risks of having a malicious container access or disrupt another?
Subsection 10.1.3 Container Orchestration Systems
Containers also make it easier to restart or scale applications. Container orchestration systems leverage this by monitoring containers and bringing them up or down as needed. The most popular container orchestration system is Kubernetes, developed by Google to manage web applications.
3
kubernetes.io/Given the orchestration systems create containers from images as needed, one of the obvious areas of concern is the integrity of those images. If an image registry is compromised the orchestration system will still deploy the images stored there typically making the issue far worse. Containers can also be hard to manage from a logging standpoint, which may cause compliance issues. Whereas a company may have monitored the logs of a single server in the past, they now have to monitor the logs of hundreds of containers running on a server.
Subsection 10.1.4 IaaS
IaaS stands for infrastructure as a service and it refers to purchasing VMs or container resources from a provider. Some popular IaaS companies are Amazon Web Systems, Microsoft Azure, and Linode. Each has some basic security tools and default policies in place to help keep the purchased resources secure, but ultimately most of the security responsibility for making sure the resources are secure lies with the group purchasing the resource.
Subsection 10.1.5 PaaS
PaaS stands for platform as a service and refers to a higher-level service that deploys an application in an already established environment running on an IaaS service. Heroku is a great example of this type of service.
Heroku supports many different applications, but they all work in relatively the same manner: Imagine there is a git repository of a Django web application that needs to be deployed. Heroku will take an Amazon EC2 instance running on AWS, clone the repo, install a Python virtual environment with the needed dependencies, and install a production Django web server on the system.
While the user could take these steps themselves, PaaS makes it easier to deploy an application.
Subsection 10.1.6 SaaS
Software as a service (SaaS) is a methodology that we are quite used to. SaaS takes a web application and makes it available for a subscription. Some examples would be Webex, Dropbox, Google Workspace, etc. SaaS is a popular way to monitize software.
One of the security concerns with SaaS is that it consolidates information with a single provider. If the server running the software is compromised, the PII of millions of people may be leaked.
You have attempted 1 of 1 activities on this page.
