VMs per host: What are the risks of multiple connections?

Are there security risks for having a large number of virtual machines or appliances on one host? From a security perspective, how many VMs per host is suitable?

From a security perspective, determining how many guest instances to run on a single host is a loaded topic. There are a few things to consider before running all your virtual machines (VMs) from one host.

Even though there really isn't a hard and fast rule when it comes to this topic, and each organization is going to be different when it comes to their architecture, we can discuss a few points to guide you in deciding how many VMs per host is appropriate.

When designing any system, you want to build it to scale and allow for resiliency; this will include the disaster recovery of the system. Having all of your instances on one host reduces your ability to recover from a disaster or an attack.

There will always be cost involved with multiple hosts, but it gives you the flexibility to perform incident response and recovery during events that might make it more difficult if there's a single host.

When speaking about compliance, there's always the concern that if you have instances that fall within the compliant host, they also have to fall within scope. Often times, this is up to the guidance of the assessor, but I have personally seen auditors bring instances that were outside the scope of an assessment into scope by being on a compliant host. For example, vulnerabilities are one concern that put regulated systems under risk of being out of scope, such as with VM escape concerns. This is something to think about if you have to adhere to a regulation and have systems that are mixed together on a single host.

When speaking about compliance, there's always the concern that if you have instances that fall within the compliant host, they also have to fall within scope.

Virtual hosts are designed to be multi-tenant, and that's a great thing. When it comes to incident response, if you don't own these hosts, it might become difficult to gain access to the logs because they're all on the same host. It's possible that other businesses are also running on the host, and that you won't have access to the logs due to privacy concerns.

Recently, there have been vulnerabilities that make having all your systems running on a single host somewhat concerning. Think about the Spectre and Meltdown vulnerabilities and how they were looking at the hardware layer of the system. In theory, this vulnerability could have an exploit that can access protected memory on a system and potentially allow a VM escape to attack other systems on the physical host, which is the biggest concern when putting all your eggs in one basket. It's not extremely common, but it's something to consider when deciding how many VMs per host you want.

As was previously stated, it's really up to the risk appetite that an organization has with the data and systems running on the host. Despite not having a set number of VMs per host, it's always best to have multiple hosts so that you can use segmentation and VM tagging to enable granular security rules.

However, having all the systems on one host is still a concern. I've seen organizations run all their servers off one host and, when that host crashed, the workstations on the network weren't able to access other resources because all the Active Directory servers were running off one host.

It further comes down to proper architecture and understanding the risks that you introduce when keeping all the instances on one host, including data loss, incident response concerns and possible vulnerabilities that can enable unwanted access to sensitive information.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)