back to article Rogue sysadmins the target of Microsoft's new 'Shielded VM' security

Virtual machine security is suddenly a hot spot: VMware's building a new product for it and has added new bits to vSphere 6.5 to enhance it. And Microsoft thinks it has found a new way to secure VMs. Let's do Redmond first because its new “Shielded VMs” are one of the headline items in Windows Server and Hyper-V 2016. As …

  1. Bronek Kozicki

    Protect your VM against rogue host administrators

    What a curious concept. Well I guess it actually makes sense in a large organization, but the traditional way to handle that was separation of concerns and good architecture. Come to think of it, "good" can be tricky.

    There is one thing this is going to be useful though, it's a hybrid (on premises & hosted) cloud, where user can be assured that some services won't ever move to the hosted cloud (but are otherwise free to move between on premises, selected "trusted" hosts). Interesting that apparently Microsoft is not trying to sell it this way (with Azure, of course).

    1. Anonymous Coward
      Anonymous Coward

      Re: Protect your VM against rogue host administrators

      "For what it's worth, it looks like Xen has had virtual TPM since version 4.3"

      Virtual TPM is only a small and optional part of shielded VMs though...

  2. david 12 Silver badge

    If there is one thing this is going to be good at, it's tying licensed VM OS's to licensed VM hosts.

  3. Anonymous Coward
    Anonymous Coward

    But of course this also means assuming your using a cloud provider your now screwed and locked into where the vm was created, instead of being able to sneek out a disk image and host it else where...

    1. Bronek Kozicki

      Yes, but as I pointed out above, your first mistake was allowing the sensitive VM to be hosted in the first place. This technology makes better sense when used to tie sensitive VMs to on premises hosts, while allowing non-sensitive ones to migrate to cloud. The way Microsoft could play it (and it is curious they apparently chose not to) is that you can migrate VMs more liberally into the cloud if you have strong guarantee that some things will always remain on premises.

    2. TheVogon

      "But of course this also means assuming your using a cloud provider your now screwed and locked into where the vm was created"

      Nope. You can move between providers. See for instance: https://technet.microsoft.com/en-us/windows-server-docs/security/guarded-fabric-shielded-vm/guarded-fabric-create-vm-move-to-guarded-fabric

  4. Anonymous Coward
    Anonymous Coward

    This concept is nonsense. It's not logically possible. If hardware fails you need to be able to move software to replacement hardware, if you can move to replacement hardware then you can copy it.

    1. TheVogon

      "if you can move to replacement hardware then you can copy it."

      You can copy the encrypted VM container, yes. That doesn't give you any access to the data...

      "If you have access to take the VM, you also have access to take any needed keys."

      No, you don't. Even the rights of admins can be limited to just the access required via JEA or the existing granular ACLs - see: https://msdn.microsoft.com/en-us/library/dn896648.aspx

  5. Anonymous South African Coward Bronze badge

    Only one problem with this - it means that in the case of hardware failure (total or partial) on the host system, neccessitating a host OS reinstall, you'll be hard pressed to restore the host OS to just the right state to allow this shielded VM to run without borking itself at boot.

    Nah, far too easier installing it as a vanilla VM and restoring it from a backup should the host bork totally....

    Expect a bank to switch over to shielded VM's gleefully, only to sit with a big fat one after their host OS crashed and they cannot get any of their shielded VM's to run on the new, rebuilt host OS....

    1. RichesonESON

      Yep, true it is. Each computer with its system is unique just like a person with DNA, but once you use a hard drive clone software to clone computer, then it's almost like replace all organs of a person, then you can't say it they are not alike.

      E.G. hard drive clone software:

      http://www.backup-utility.com/disk-clone-software.html

  6. oldcoder

    Sounds rather stupid to me.

    If you have access to take the VM, you also have access to take any needed keys.

    1. Anonymous Coward
      Anonymous Coward

      Smart card required

      Usually you need to plug a smart card in to boot the things. Then you lock the smart card in a safe (until you next need to do some serious maintenance)

  7. Pirate Dave Silver badge
    Pirate

    Errr, no

    "The main thing VMs are missing is something like Intel's trusted platform module (TPM)"

    On the list of things VMs are missing, I don't see TPM anywhere on said list. Smaller hypervisor memory footprint - check. More efficient I/O - check. Lower licensing fees - check. TPM - nope.

    1. nijam Silver badge

      Re: Errr, no

      The main thing VMs are missing is something like the false sense of security provided by Intel's trusted platform module.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like