M_About virtualisation
The below will appear on the Refined page at About virtualisation
What is virtualisation?
Many organisations today use virtual servers (VS) and virtual machines (VM). Many employees log onto virtual desktops which allows them to use any device from any location to access the desk top they use for work. To the user, these may look and seem exactly the same as a regular server, computer and desktop, so what are they?
Virtualisation is the technology that allows us to create a software-based or a ‘virtual’ version of a computer. It involves using the hardware of a computer or server, overlaying it with some specialist software and creating multiple ‘virtual’ machines within it. The virtual machines use the hardware of the single actual machine. For each virtual machine, an amount of CPU (processer), RAM ( memory) and storage space is allocated from the machine’s hardware. The total amount of CPU, RAM and storage on the virtual machines cannot exceed what is available on the hardware.
Virtualisation was initially invented to allow better use of hardware resources. Organisations often used to run physical servers on site, these took up a lot of space, produced a great deal of noise and heat and had to be kept in special conditions. Frequently, the servers were devoted to a single function such as hosting a website, sorting emails or running part of a network and they often only used about 30% of their hard drive capability (CPU, RAM and storage).
The solution to this problem is virtualisation. The power from one server can be divided up, and used in different functions. Each divided part of the server can be given its own operating system and applications. This turns the divided sections of the server into virtual machines (VM) and the server as a whole into a virtual server (VS). This uses about 80% of the capacity of the server and so is much more efficient.
Virtualisation is made possible with a type of software called a hypervisor.
A piece of software called a hypervisor is installed over the hardware of a server to run and manage the virtual machines on that server. Hypervisors are often referred to as “the virtualisation layer”. VMs only work if there is a hypervisor to virtualise and distribute hardware resources.
Virtualisation allows organisations to outsource their technology requirements in a way that gives them flexibility and scalability. It also gives them the option to pay by subscription for only what they need, rather than having to make a big outlay for physical servers. Virtualisation saves power and helps reduce the carbon foot print by ensuring the power hungry physical servers are used to maximum capacity.
Another benefit of virtualisation is that the data which makes up a virtual machine can be saved as a file and backed up in multiple locations for recovery purposes. This makes it easy to move virtual machine files between different data centres. Virtual machines can be used to research and test things because they act like a sand box ( a self contained sealed unit) from other applications and systems.
There are two main types of hypervisor
Type one hypervisor
Most hypervisors install directly onto a server with no other software. Examples of this type of hypervisor are: VMWare vSphere/ESXi (Microsoft Hyper-V, Citrix XenServer).
Once the hypervisor has been installed onto the server, the person in charge of configuring the virtual machines uses a management tool to allocate the CPU, Ram and storage for the different virtual machines (VM) and download an operating system or virtual desktop and apps for each VM. They will also manage the user access controls and administrative permissions to these machines. The users will then connect to the virtual machines via an application programme or web browser from a remote desktop.
Type two hypervisor
Another type of hypervisor is more often used on a primary computer rather than a server. It can be installed onto the computer over the top of the operating system which is already on that computer. The operating system of the virtual machines can be different from the host server and is called the “guest operating system”. This means that virtual machines can be set up and run on the primary computer using different operating systems and this allows research and testing of different operating systems and apps in a safe, virtual environment (often called a sandboxed environment).
Examples of these type of hypervisor are: VMWare Workstation/Fusion, Oracle VirtualBox Parallels (Mac).
Any regular desk top computer can connect via the internet to a virtual environment.
Thin clients
are a type of very simple computer holding only a base operating system. They are often used to connect to virtual machines because they are cheaper, smaller and easier to maintain than regular laptops or computers.
Virtual machines and virtual desktop infrastructure
Virtual machines can be used for a number of applications, one of which is running a virtual desktop in a Virtual Desktop Infrastructure (VDI) environment.
When someone is connected to a virtual desktop, all the computing resources that they would usually have on their regular PC, such as operating system, applications and files would appear on the screen as a virtual desktop. In reality, the operating system, apps and files exist on servers in other locations. The virtual desktop is just an image of the operating systems and applications available on the virtual machines.
Users can access their virtual desktops remotely over the internet from any location and from any endpoint device (laptop, smartphone or tablet). A virtual desktop looks and feels like a physical workstation. The user experience is often even better than a physical workstation because powerful resources, such as storage and back-end databases, are readily available. Users may or may not be able to personalize or save data locally on a virtual desktop, depending on which desktop virtualization technology they are using.
Users can access all their files and apps and experience their desktop exactly the same way every time they log in, no matter which device they are logging into it from.
In a VDI environment, data lives on the server rather than the endpoint device. This protects data if an endpoint device is ever stolen or compromised. VDI’s centralised format makes it easy to centrally manage, patch, update or configure all the virtual desktops in a system.
Virtualisation can be used by organisations to improve cyber security and provide a standard work environment while allowing employees to use their personal devices and work outside the company network. The apps and files on a virtual machine are accessed from, but are never actually located on the endpoint device. This means that virtual machine environments remain isolated from the host operating system and any personal apps and files that the employee uses. Any malware entering that endpoint device will not impact the hardware powering the virtual machine and holding the company data.
A compromised VM can be easily reverted to older versions by reinstalling from back-up, the data and settings from before it was compromised. It can also be deleted and recreated quickly to speed up disaster recovery.
Virtualisation – what can go wrong?
Virtual machines and their networks can be compromised in exactly the same way as any physical IT infrastructure. It should not be assumed that they are secure by default. Security breaches are usually a result of poorly configured servers, weak user access control or badly set up virtual desktop accounts. Virtual machines need careful configuration and constant monitoring and maintenance in order to be secure. A virtual machine is only as secure as its configuration.
Security – what are are you responsible for?
If your organisation accesses cloud services which are based on the technology of virtualisation, you do not need to apply the Cyber Essentials controls to the hardware of the servers, and hypervisors in the cloud data centre. You do, however, need evidence that the cloud service provider is keeping their infrastructure secure and updated. (See guidance about applying the five controls to cloud services.)
If you are subscribing to Infrastructure as a Service from a cloud service provider, eg Microsoft’s Azure Virtual Desktop or Citrix managed desktops, you will be responsible for applying the Cyber Essentials controls to the virtual environment that you configure and use. That will include virtual desktops, virtual local area network (VLANS) including virtual firewalls, virtual switches etc.
If you own or rent the servers which are housed on site or within a data centre, and you configure the hypervisor software to create virtual machines, you will need to apply the Cyber Essentials controls to the servers and hypervisors. This means you need to keep the hardware and software licensed, updated and patched.
It is widely assumed that cloud services and remote virtual environments are secure ‘out of the box’. This is simply not true.
It is important that you fully understand the technology that you are using and consider training and upskilling yourself or your IT team to be fully competent at correctly configuring these tools.
In summary, virtualisation enables organisations to add layers of security and keep separate their organisational data that is increasingly accessed from a variety of devices and locations. They are able to provide multiple employees with a flexible, affordable and secure resource to meet their computing needs without having to purchase the hardware resources. Understanding and configuring the security settings on the virtual technology that your organisation uses is essential.