JOnline: Virtualization Usage, Risks and Audit Tools 

Download Article

Larger targets usually attract the attention of hunters. Likewise, in the drive to lower technology costs, the items with the most volume usually find themselves as a target. In most data centers, servers have been one of the more prolific pieces of equipment, consuming a large footprint. To reduce this footprint and the resultant costs, many chief information officers (CIOs) have turned to virtualization or paravirtualization.

Virtualization, long a part of the mainframe landscape, has more recently been brought to the Intel architecture with dependable results. For example, Intel is building processors to capitalize on virtualization.1 Virtualization maximizes the utilization of Intel-based hosts by providing an abstraction layer to enable the sharing of processing power and memory. Virtualization achieves this by placing a software layer between the hardware and the guest operating systems (OSs) to act as a resource manager. Multiple virtual OSs can be placed on one machine in segregated files or drive partitions. Paravirtualization achieves similar results by creating modified OS kernels that share resources.

Various solutions are available to implement virtualization depending on the desired OS (Windows or Linux) and methodology (virtualization or paravirtualization), including options from VMWare, Microsoft and the open source entrant Xen. Per the provider’s documentation, Windows Virtual Server2 hosts support Windows servers as guests, and Xen3 supports Linux guests (unprivileged domain) running on a Linux host (privileged domain). The VMWare4 solution provides support for Windows and Linux guests.

Virtualization host (or dom0 under paravirtualization) features can include a management console, hot move capabilities and conversions from stand-alone servers. Feature availability varies with software provider and price. The methodology, virtualization vs. paravirtualization, should be assessed for processing speed and network performance in the particular environment before production deployment.


Since most stand-alone servers underutilize hardware resources, virtualization can result in cost savings by sharing CPU processing capacity and storage space. When coupled with blade technology and storage solutions, such as SANs, locating eight guest server OSs on one blade is not uncommon. With a cabinet holding 14 blades, 104 servers can be logically placed in a fraction of the previous floor space, reducing data center build-out costs and operating costs such as utilities.

Further benefits of virtualization, beyond the basic cost reduction driver, include:

  • Expansion of the test environment—Multiple configurations of different versions of an OS, or even different OSs, can be installed on one machine and used to test the same application for performance differences across OSs.
  • More continuity options—Since the guest servers can be configured as a file, duplicate copies of the file can be stored at alternate locations and accessed by another host running the same virtualization tool in less time than it takes to restore or rebuild a damaged guest.
  • Support simulation—Multiple versions of OSs or different OS configurations can be installed and running on one machine so the technical support staff can take random calls from clients seeking answers to application questions.
  • Education—Tiered networks with firewalls, web servers and other servers can be simulated on one machine per student where they can perform their work without interrupting the configuration of shared lab equipment.
  • Segregation—In smaller environments, the budget constraints sometimes result in changing code in production. With the affordability of virtualization, guests can be built, providing separate development and test environments.

Associated Changes in Risks

Since the virtualization host is an OS in itself, the performance risks associated with any OS apply to virtualized hosts servicing other guest servers. Patching, antivirus, limited services, logging, appropriate permissions and other configuration settings that represent a secure configuration for any server gain importance on a host carrying multiple guest servers.

The host providing a receptacle for multiple guest servers represents a single point of failure for the guest OSs residing on that host. Should the host become compromised, the resources needed by the guests can become unavailable. Physical and logical access controls over hosts, including local and remote, are paramount.

Finally, hosts usually have the capability to reallocate memory among guests. Assurance is needed that the memory released by the first guest using that storage is not disclosing content to the receiving guest servers using those addresses.

Responding to Risk Changes

The auditor should have a role assessing the virtualized environment to help ensure that the new risks associated with this technology are adequately mitigated.

The organization should have established virtualized host configuration standards approved by the infrastructure and information security teams.

Assuming possession of a valid evaluation license, auditors should build a copy of the virtualization host software in use at their organizations, noting the default configuration. This default configuration, as modified by the organization build script, can be compared to the organization standard. For instance, VMWare ESX 2.5.1 builds a modified 2.4 kernel with the LILO boot loader for the host. If LILO is not the organization standard, the auditor should assess deployed hosts for the boot loader used in production and compare to the organization standard. Other configuration settings can be similarly tested against organization standards.5

Virtualization tools usually include a management console used to start and stop guests and to provision resources (memory, storage) used by those guests. Access to the host OS and the management tool should be strictly limited to technical staff with a role-based need. Some virtualization tools allow definition of users and groups.

Remote access methods, such as protocols in use to reach the management console or guests, should be reviewed. For example, the default configuration of VMWare ESX 2.5.1 requires Secure Shell (SSH) to access the management console in the high setting. If a setting other than high is in use, lessstringent methods of accessing the console may be used, possibly exposing the administration ID and password or administration traffic.

Access to configuration files used for host and guest OSs should be limited to system administrators. Strong root passwords should be verified as well as allowed routes to and from hosts.

For around US $200, with the many free distributions of Linux that are available,6 an auditor can turn a Windows laptop in to a dual OS machine and run assessment tools from either environment. An audit lab containing the organization’s OS configurations can be simulated using virtualization even with a tight audit department budget. A lab environment can be built for auditors where tools can be tested against images of production OSs, and audit procedures can be validated against those images identifying adverse effects (if any) before those procedures are used in the live environment .


Virtualization of Intel-based hosts is expanding with cost reduction goals, driving its increased use. With such technology come new risks—heightened dependence on the reliability of single servers and changes to security risks. The auditor needs to be aware of these risks and involved in the corporate mitigation strategy of new risks, should an implementation of this technology be planned.






5 Hoesing, Michael T.; Vasant Raval; “Auditing Linux,” Information Systems Control Journal, vol. 4, 2005, p. 41-43


Michael Hoesing, CISA, CISSP, CCP, CIA, CPA, CMA
has more than 30 years of experience in information systems audit, information systems implementation and financial audit. During the last 15 years, he has focused on information systems controls in the financial services industry while working at First National Nebraska Inc., Pricewaterhouse Coopers, First Data Corp. and America Express.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.