The security of our cloud-based systems is paramount. In this video, you’ll learn about the importance of VM sprawl avoidance and VM escape protection.
One of the huge advantages that cloud computing brings is the ability to deploy a new set of application instances with the click of a button. This process can be automated so that multiple servers, databases, and security devices can all be deployed automatically at an instant. We need to make sure that the process we have for deploying these application instances also considers the process of recovering those deployed instances and returning all of those resources to the pool. This is the problem we have with virtual machine sprawl. We have all of these virtual machines that keep being built on our network and we don’t deprovision these instances when they’re no longer needed. At some point, we aren’t sure exactly which virtual machines are related to which application instances, and now it becomes much more difficult to remove these resources from the network.
This is why it’s important to have a formal process for provisioning an application instance, and then the deprovisioning of that application instance. It’s also a good idea to make sure that every virtual object is identified and that you have a way to track it from the moment it’s created until the moment that it’s deprovisioned. One of the useful characteristics of a virtual machine is that it is self-contained. Everything happening within that virtual machine only happens as part of that VM and has no effect on any other VMs that might be running on that network.
Unfortunately, there is an attack type called a virtual machine escape that would allow someone on one virtual machine to be able to gain access to resources that are on a completely separate virtual machine. This is obviously a significant exploit, because these virtual machines should never be able to share resources between each other. And finding an exploit that would allow someone to hop from virtual machine to virtual machine would be a significant security concern. Someone who had access to this kind of exploit would effectively have full control of your virtual environment, your applications, and all of your data.