NIST explained that full virtualization provides a complete simulation of underlying computer hardware, enabling software to run without any modification.
For cloud computing systems, full virtualization can increase operational efficiency because it optimizes computer workloads and adjusts the number of servers in use to match demand, thereby conserving energy and information technology resources.
However, “full virtualization has some negative security implications. Virtualization adds layers of technology, which can increase the security management burden by necessitating additional security controls. Also, combining many systems onto a single physical computer can cause a larger impact if a security compromise occurs”, NIST warned.
In addition, “some virtualization systems make it easy to share information between the systems; this convenience can turn out to be an attack vector if it is not carefully controlled. In some cases, virtualized environments are quite dynamic, which makes creating and maintaining the necessary security boundaries more complex”, the agency added.
The NIST Guide to Security for Full Virtualization Technologies is intended for system administrators, security program managers, security engineers, and anyone else involved in designing, deploying or maintaining full virtualization technologies.
The agency recommends that organizations: secure all elements of a full virtualization solution and maintain their security; restrict and protect administrator access to the virtualization solution; ensure that the hypervisor, the central program that runs the virtual environment, is properly secured; and carefully plan the security for a full virtualization solution before installing, configuring and deploying it.