Who Watches the Watchmen

In “physical world”, administrators naturally happen to have full access to the systems, data and services they manage. That is, domain administrators either have full control over all the domain’s data, including business-critical info, or can self-escalate at any time.
In “virtual world” common security risks build up. Going virtual means consolidating workloads – a single host normally runs dozens of virtual machines. Virtual environment administrators who have control over virtualization management tools may also have administrative privileges on the virtualization server itself. As a result, these administrators can inadvertently gain access to restricted data while performing their regular authorized duties.

“When multiple physical servers are collapsed into one, there are several areas that risk loss of SOD. Because of the critical support the hypervisor/VMM layer provides, administrative access to this layer must be tightly controlled… Virtualization management tools including those that provide live migration capabilities should also be considered extremely sensitive and access-restricted.”

Gartner, January 2010

As a solution, an appropriate security model should be in place, leaving IT administrators just enough privileges to perform their duties, while isolating them from confidential data processed on virtual machines. In return, personnel in charge of privilege management and security auditing must be restricted from accessing the virtual environment itself.