Securing the Virtual Environment: How to defend the enterprise against attack
by Davi Ottenheimer and Matthew Wallace

Wiley 2012.
ISBN 978-1-118-15548-6, USD 31.49, Table of Contents

Reviewed by  Richard Austin   September 13, 2012 

Virtualization and its latest offshoot, cloud computing, occupy important places on most IT technology roadmaps these days, either as something that is being looked at, has an implementation in progress, or is planned for future implementation. Ottenheimer and Wallace have written a practical guide to what "securing" virtualization and the cloud actually means. By viewing the cloud as heavily based on virtualization, they tie its implementation to already established principles and map out the new areas where challenges still exist.

Like many of the recent books reviewed in this column, this one includes a lengthy appendix on setting up a test environment to follow along with "hands-on" exercises in the text. The created environment makes use of the Xen, ESXi and KVM hypervisors which are either Open Source or available as trials from the vendor. The DVD that accompanies the book includes many of the tools used in the book as well as a pre-configured virtual "attack machine" with the tools already installed. The reader is strongly encouraged to work though this appendix first so as to be ready to explore the "hands on" exercises.

While the book's organization offers a logical progression, I really recommend that you read Chapter 10, "Building Compliance into Virtual and Cloud Environments", first. This chapter opens with an eye-opening discussion of the difference between "compliance" and "security" that may surprise those of us who are wont to opine that "compliance is not security". The authors make the sound point that compliance carries the idea of authority - someone with the power to enforce their statement says "you must do x, y, and z". While meeting compliance requirements does not assure that the resulting security posture is appropriate to an organization's risk profile and appetite, compliance does leverage the knowledge of many organizations performing similar sorts of business and can provide a sound starting point. In the authors' view, compliance should not be described "by terms such as follow, accept, bend and agree" bur rather "achieving, meeting, exceeding, delivering or performing" (p. 320). The remainder of the chapter focuses on applying compliance guidance in an environment that is virtualized/cloud-based. The advantage of reading this chapter first is that it rubs most of the "chrome off the dashboard" of the new technology and shows how familiar security requirements are translated into the world of virtualized/cloud-based services.

The book's presentation is generally attack-vector based with the chapters describing (and often illustrating in "hands-on" exercises") how the virtual/cloud environment is attacked in particular ways. This is especially helpful because some of these vectors are peculiar to the virtual environment. For example, installing a "rooted" binary or malware is a well-known attack pattern in the physical world but acquires some unique nuances in the virtual environment (e.g., modifying a virtual server's virtual disk or perhaps the "gold" image to provision a class of virtual servers). While the attacks themselves are not particularly new, the ways they can be applied in the virtual/cloud environment were, I found, eye-opening. After presenting the vectors and ensuing attacks, appropriate defensive measures are described. Commendably, the applicable technical defenses are supplemented by appropriate policy and process controls so the defensive recommendations are well rounded.

As an aside, the book emphasizes Open Source and VMware products - Microsoft's Hyper-V is occasionally mentioned but the examples, etc., are based on the other hypervisors. This is should not discourage a Microsoft-focused reader as much of the valuable guidance is independent of the specific hypervisor used.

The authors are experienced and thoughtful securers of the virtualized/cloud environment. Though there are a few quirks in places, they do an excellent job of clearly and cogently presenting a complex topic. Footnoted references are scattered throughout the chapters and provide a rich field for further exploration. Definitely a recommended read for security professionals needing a substantial and solid introduction to what "security" actually involves in the cloud and other virtualized environments.

It has been said that "of making many books there is no end; and much study is a weariness of the flesh" so Richard Austin ( fearlessly samples the wares of the many publishing houses and shares his opinion as to which books might merit your attention. He welcomes your thoughts and comments via raustin at ieee dot org