Posted by: Greg Ness | September 14, 2007

VM Security: The Keys to the Virtualization Kingdom

The Sky is not Falling… Yet 

Wall Street has voted on the promise of virtualization, sending VMware shares skyward in an ascent into the Googlesphere.  With Microsoft and Citrix hovering, certainly the pressure on VMware at this point is on execution.  They have the buzz.  They have the momo.  They have the VM eco-system.   This scenario harkens back to the early days of the PC operating system wars and Apple’s losing battle for retail software shelf space.  Brilliant design, ease of use, graphics and brilliant marketing were simply not enough in those days to keep up with the Windows software plethora.  When it comes to operating systems, the one with the most toys often wins. 

VMware in the Lead

This time VMware (in the battle to become the data center operating system) has the plethora, the customer base, the experience and the product.  That is a formidable combination.  No doubt that is at least part of the reason that Wall Street has rewarded VMware with an unusual multiple.  It is probably the most promising growth company in all of IT.  It has the potential to completely rewrite the rules for how software and hardware are deployed, managed and secured.  It is a game-changer. 

Yet there is a dark horse element in all of this that promises to keep things interesting: security.  And I don’t mean hypervisor security, although some pundits are still tapping their feet waiting for hypervisor attacks.  I mean good old fashioned server security aimed at protecting data and applications running on top of the hypervisor.  It’s fairly early for hypervisor attacks, and the virtualization players are taking steps to harden their relatively lean and modern code.  

As virtualization moves from the safe sanctum of test and development to production environments, security risks rise significantly.  All that change and flexibility in devtest had minimal consequences for security because the moving and state-shifting VMs were well-isolated from the public-facing network.   

Changes can be Painful for many Security Solutions

In production environments effortless movement and changes of VM states (snapshot, revert, online, offline, VMotion, etc) can generate extreme operational challenges for critical security activities like vulnerability scanning, patching and security.  Vulnerability scans, a critical tool for tracking software vulnerabilities, can become obsolete in seconds.  Bottom line: The constant change enabled by virtualization can place dynamic demands on the most commonly deployed static security solutions, in even small virtualized production infrastructures.  

All the tricks, flips and tools that make software more nimble and powerful will not matter unless the production infrastructure can be effectively secured from attack.  Yet many of the leading network security vendors have been caught flat-footed by virtualization.  Some are even trying to cram ASIC-driven IPS solutions onto commodity processors, taking up sizable chunks of server/blade processing power and introducing unacceptable levels of latency, in a nonsensical effort to match suspicious virtual server traffic with a growing library of signatures. 

That game promises to get even more complicated and resource-consuming as hackers shift to mutating attacks. Taking the challenges a step further into the virtualized data center made up of blade server fabrics: just how many enterprises will be returning to the ASIC security world with bigger boxes, bigger signature libraries and the promise of constant tuning and traffic headaches while the rest of their infrastructure becomes more powerful, more flexible and more efficient?   

How many ASIC-driven security players (and their hardware-centric channel partners) are likewise talking a hard look at the pure software model of virtualization (and much lower margins) and seriously contemplating “serving up their children and their channel allies” to deliver a core technology that in its current state is likely unfit for commoditized processing?  That’s an Innovators Dilemma that might even make Clay Christensen cringe.  

That’s why recent articles in InformationWeek and Network Computing online are either particularly interesting or particularly disturbing, depending on the logo on your tradeshow shirt. 

The IT press is abuzz with excellent pieces that are digging up the security challenges and opportunities inherent in virtualization and shocking the traditional old guard.  Federal Computer Week weighed in last week, joining a drumbeat across IT publications that kicked off this spring when Gartner and Nemertes published papers warning about the risks and exposures of virtualization in production environments.  Andi Mann at EMA has also been talking about the challenges in InfoWorld and other publications. 

Security expert and visionary Chris Hoff has been blogging about the topic as well, with some of the best insight available anywhere.  His trench perspectives on internal company dynamics and vendor posturing are a refreshing contrast to some of the vendor puffery and head fakes. 

Here is a CMP collection (Playbook) of articles on the topic of virtualization security that ran from February to August (sponsored by AMD and Blue Lane) in InformationWeek, Network Computing and the security site Dark Reading.  While it doesn’t include September coverage yet (it was compiled in August) it can give you a quick background on the issues, challenges and perspectives. 

A few months ago Virtual Strategy interviewed Blue Lane’s Allwyn Sequeira.  IMHO it is one of the best discussions on the topic ever recorded.  IT Conversations also interviewed me a few months ago, if you’re looking for more background. 

VMware is Taking Steps in the Right Direction

Rest assured that VMware gets it.  They bought Determina weeks ago, and acquired technology rights that can help them further harden their hypervisor.  So in a fell swoop they’ve helped to enhance their robust security eco-system and hardened their hypervisor. 

The core issue is still the double-edged sword of change and its impact on security solutions that were never intended to defend fluid environments.  Automation of patching helps close otherwise wide open vulnerability windows, but with virtualization those windows can open by accident or intent in seconds.  Now we’re back to the signature tuning challenge: Do you press the patch button every hour, every ten minutes, every 30 seconds?  Do you set vulnerability scanners on auto-pilot and produce minute-by-minute reports 24/7? 

That’s why I posted earlier that virtualization is security’s wake up call.  Yet, if virtualization platforms do not tackle the security issues head on their rates of adoption in the production data centers (which is a sizable portion of the market) risk sagging and affecting P/E multiples.  With proper security, the widespread adoption of virtualization will likely be clear sailing.   After all, virtualization promises enhanced security over complex, ASIC-driven physical infrastructures… if it’s done right. 

So that makes security a critical differentiator in production environments that could shift the power and momo to whomever gets it “firstest with the mostest.” Currently VMware is in the lead with the best security eco-system across the virtualization platform players. 

A New and Promising Twist

Virtualization could also tilt the balance of security power away from “catch all” perimeter appliances to more specialized server security solutions, as data center virtualization creates safer compounds that can deliver processing power on demand to users from behind the safety of virtual shield-like solutions that are thin, intelligent and highly accurate.  More on that later. 

Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection.  I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel.  I’ve been an Always On blogger/columnist since 2003.  You can access my Always On blog at:

Bookmark and Share


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: