Factsheet Use virtualisation wisely
Virtualisation of ICT services ensures more efficient and flexible use of hardware. This factsheet is about specific risks that arise when you use virtual servers to outsource ICT services. Your virtual server has an unknown number of virtual neighbours on the host. By using the newly discovered Flip Feng Shui attack method, an attacker can penetrate a virtual neighbour or have it install malware. To date, an attacker could only eavesdrop on the activity of virtual neighbours. The success probability of such an attack was much lower.
The NCSC advises to establish, in rules on information security, which types of systems in your organisation may be virtualised. Additionally, establish in which types of cloud these types of systems may be accommodated.
Flip Feng Shui presents a significant change to the risk profile of virtual servers. Side channel attacks were a mostly theoretical risk. That does not apply to Flip Feng Shui. Vendors can take measures to prevent the attack method. It is to be expected that researchers will discover similar attack methods in the coming years. It is therefore important that your vendor is up-to-date with the latest developments.
The target audience of this factsheet is Information security professionals, administrators and architects of organisations that purchase or internally use virtualised services (such as cloud servers).
Also available is an extensive 'question and answer' on the Flip Feng Shui attack method, including perspective for action for owners of hosts on: "Flip Feng Shui attack method: question and answer" (English) and "Flip Feng Shui-aanvalstechniek: vraag en antwoord" (Dutch).
A Dutch version of this factsheet is available on the Dutch section of this website.