S 4.347 Disabling of snapshots of virtual IT systems
Initiation responsibility: Top Management, IT Security Officer
Implementation responsibility: IT Security Officer, Head of IT
The option of freezing the condition of virtual IT systems at a certain point in time during live operations and preserving this condition for any time required, for example by storing it to a hard disk, is a technical particularity of virtual IT systems. If such a condition can be stored and the system can be continued subsequently, it is also possible to reset the system to the stored condition. Such a condition is referred to as a "snapshot" in the majority of the virtualisation products. This procedure can be used for many different administrative tasks. After a failed update, it is easily possible to downgrade to the previous version, for example. Essential functions of a virtual infrastructure such as the migration of guest systems between virtualisation servers using LiveMigration, vMotion, or XenMotion, are also based on the capability of creating snapshots. As a consequence, this also refers to the connected high-availability mechanism.
Therefore, the following aspects must be taken into consideration when using such snapshots.
Protection of the confidentiality and integrity for endangered guests
In a virtual infrastructure, certain IT systems may be subject to high or very high protection requirements regarding confidentiality and data integrity. Data of a process are often processed in isolated main memory areas so that other processes on an IT system may not access the process and may not read or modify the data. This guarantees the confidentiality and integrity of these data while the data are processed in the main memory of a (virtual) IT system. If any condition of the virtual IT system is frozen in order to reset the system to this condition at a later point in time, the internal memory data are written to a bulk memory of the virtualisation server. Now, an attacker is enabled to bypass the access control granted by the operating system of the virtual IT system for the data of the individual processes by analysing the file containing the internal memory data.
The following example is intended to illustrate this: A virtual IT system is equipped with hard disk encryption in order to guarantee the confidentiality and integrity of the stored data. Since the main memory content of the virtual machine is read and stored to a hard disk of the virtualisation server while the snapshot is created, the cryptographic keys of the hard disk encryption software may be written to the hard disk in an encrypted form. In any case, the same happens if the system is only stopped with the help of the virtualisation software and the condition is written to the hard disk in order to continue operations at a later point in time. The file containing the stored main memory content may then be used in order to read the key for decrypting the hard disk content.
This shows that safeguards for protecting the confidentiality and integrity of physical IT systems in virtual IT systems are frequently only effective to a limited extent. It may be possible to bypass these with means of the virtualisation servers. In order to make the offline analysis of a snapshot of a virtual IT system with high protection requirements more difficult, disabling the function of creating snapshots or freezing the system should therefore be considered. In this case, it must be checked whether any used snapshot-based data backup procedures are still operational.
Stability of data modifications
Snapshots of a virtual IT system contain the entire condition of the IT system, including all stored data at the time the snapshot was created. If a virtual IT system is reset to a previous state with the help of a snapshot, changes performed to the data may be undone this way. Examples include the database of a file server or structure and content of a directory service such as Active Directory.
For a virtual IT system that absolutely must not be reset to a previous state, the option of creating snapshots must also be disabled.
If the snapshot function is absolutely necessary, the scope of the snapshot should be limited by only capturing certain drives in the snapshot or by specifying the steps before and after a snapshot was created or installed. For example, if an Active Directory domain controller is reset to a snapshot, measures for restoring the Active Directory database must be taken, since this database will otherwise contain inconsistent data.
The scope of the limited snapshots and the required steps must be documented.
Review questions:
- Has it been guaranteed that the scopes of the snapshots, as well as the further steps required for handling snapshots have been evaluated and documented for all virtual IT systems with enabled snapshot function?
- Has the option of creating snapshots or freezing the system been disabled for virtual IT systems where threats regarding the integrity or confidentiality have particularly severe consequences?