Posted by: Greg Ness | September 25, 2007

SNS Letter on Virtualization Security

Last week I was invited to transform my recent blog at Always On on VM security into a larger piece on virtualization and security and its impact on several leading companies.  The letter follows (although I returned to my original headline).

Virtualization, Security and the Battle over the Next Data Center OS 

Within days of VMware’s hot IPO, Citrix purchased rival virtualization solution provider XenSource for $500 million.  XenSource expects 2007 revenue of about $1 million.  These two events suggest that Wall Street sees exceptional growth and profits in the race to become the new data center operating system. 

As Microsoft works away on its own virtualization platform to launch next year, it is clear that a battle is already shaping up over who will capture the data center operating system market.  The stakes are sizable.  Billions in market cap are likely to shift between three high profile companies: VMW, CTXS and MSFT. 

Wall Street has already rewarded VMware with a market cap past $30 billion, according to recent Yahoo reports.  That places them in a very small group of select technology companies.  With Microsoft and Citrix hovering, certainly the pressure on VMware at this point is on execution.  They have the buzz.  They have the momo.  They have the VM eco-system.  

This kind of “gorillas in the early market mist” scenario harkens us back to the early days of the PC operating system wars and Apple’s losing battle for retail software shelf space.  Brilliant design, ease of use, graphics and brilliant marketing were simply not enough in those days to keep up with escalating Windows software choices. 

When it comes to operating systems, the one with the most toys usually wins.  A big part of the promise of virtualization with VMware is the variety of appliances already available.  That may explain at least some of Wall Street’s enthusiasm for VMW.  

VMware in the Lead

VMware (in the battle to become the data center operating system) has the eco-system, the customer base, the experience and the product.  That is a formidable combination.  It is probably the most promising growth company in all of IT, well positioned in information technology’s next big thing.  VMware has the rare potential to completely rewrite the rules for how software and hardware are deployed, managed and secured in the enterprise data center.  It is a game-changer. 

Of course Novell and Microsoft have also battled in the mist; and Novell initially had the technology, user base and eco-system only to get distracted and then neutralized by a very powerful foe.  So while it isn’t yet over VMW has certainly caught the Street’s attention and has done an excellent job of waking up organizations and bankers to the promise of virtualization. 

Yet there is yet a dark horse element in all of this that promises to keep things interesting: virtualization security.  And by that I don’t mean hypervisor-specific security, although some pundits are still tapping their feet waiting for hypervisor attack outbreaks.  

In the short term virtualization will have a much bigger impact on the presence and accessibility of existing, known software vulnerabilities and the capabilities of deployed security solutions and current processes to protect their critical applications and databases.  It’s fairly early for hypervisor attacks, and the virtualization players are taking steps to harden their relatively lean and modern code.   

New Risks, New Rewards, New Realities

As virtualization moves from the safe inner sanctum of test and development to production environments, security risks shifts significantly.  All that change and flexibility in devtest had minimal consequences for security because the moving and state-shifting VMs were well-isolated from the public-facing network.

Production environments represent sizable growth opportunities for virtualization players, sizable new rewards for organizations (including substantial power savings, IT responsiveness and even real estate cost reductions), yet sizable new realities for the world of network security.   

In production environments effortless movement and changes of VM states (snapshot, revert, online, offline, VMotion, etc) generate extreme operational challenges for critical activities like vulnerability scanning, patching and the operation of static security solutions.  Vulnerability scans, a critical tool for tracking software vulnerabilities, can become obsolete in seconds.  Network security solutions which often require manual tuning for every new exploit and vulnerability (and changing IP address) will be incapable of keeping up with the movement and state shifts now made possible by virtualization. 

Security pros already bedazzled by polymorphic attacks (that mutate and can evade detection signatures) will now have to cope with exponential levels of change and complexity. Bottom line: The unprecedented flexibility enabled by virtualization places dynamic demands on the most widely deployed static security solutions, in even small virtualized production infrastructures.

As virtualization changes the game for how hardware and processing power are deployed, so it also changes the security game into an IT battle between the quick and the dead. This new level of flexibility and change also means multiple VMs running multiple applications and operating systems on a single piece of hardware.  You now have a complex community of VMs changing states, moving and interacting with each other all on the same server.  With VMotion they can even move across servers and join new VM cluster communities.

When you take a close look at the nature of virtualization and production security, you quickly realize that complexity (at least from a security perspective) has just gone exponential and dynamic in a way many have never anticipated.  VMware has anticipated the security impacts of the shift and has carefully recruited eco-system players who can address these more dynamic environments. 

While most virtualization pros do not understand the principals of network security and most network security pros are just beginning to grasp the significance of virtualization, VMware has taken several strategic steps in security and perhaps further distanced itself from its competitors. 

Why Security is Especially Important Now

When it comes to aggressive growth into the data center, all the tricks, flips and tools that make software more nimble and powerful (the eco-system we were talking about that gives VMware a competitive advantage) will not matter unless the infrastructure can be effectively secured from attack. 

Yet –as I’ve suggested- many of the leading network static security vendors have been caught flat-footed by virtualization and are either unprepared, un-motivated or both.  Some vendors are trying to convert ASIC-driven (ASICS are custom processors that boost the power of hardware for specialized tasks like pattern-matching network traffic to suspicious, known, hacker traffic signatures) IPS solutions onto commodity processors.

As a result their software-only solution will likely tie up sizable chunks of server/blade processing power and introduce unacceptable levels of latency.   That game promises to get even more complicated and resource-consuming as hackers continue to shift to security process-consuming mutating attacks; and data centers move to fabrics of blade servers, crushing the value proposition of many dedicated ASIC-based network appliances. 

The question for the data center operators then becomes: just how many of them will be returning to the ASIC security world with bigger boxes, bigger signature libraries and the promise of constant tuning and traffic challenges and complexities while the rest of their infrastructure (and competitors’ infrastructures) becomes more powerful, more flexible and more efficient?   

Similarly, how many ASIC-based security players (and their hardware-centric channel partners) are likewise taking a hard look at the pure software model of virtualization (and much lower margins) and seriously contemplating “serving up their children and their channel allies” to deliver a core technology that in its current state is likely unfit for commoditized processing?  That’s an Innovators Dilemma that might even make Clay Christensen cringe.  

That’s why recent articles in InformationWeek and Network Computing online are either particularly interesting or particularly disturbing, depending on the logo on the sign at your headquarters.  The IT press is abuzz with excellent pieces that are digging up the security challenges and opportunities inherent in virtualization and shocking the traditional old guard.  Federal Computer Week weighed in last week, joining a drumbeat across IT publications that kicked off this spring when Gartner and Nemertes published papers warning about the risks and exposures of virtualization in production environments.  Andi Mann at EMA has also been talking about the challenges in InfoWorld and other publications. 

Security expert and tech visionary Chris Hoff has been blogging about the topic as well, with some of the best insight available anywhere.  His trench perspectives on internal company dynamics and vendor posturing are a refreshing contrast to some of the vendor puffery and head fakes.  His blog is probably one of the best on the topic and worth reading. 

VMware is Taking Steps in the Right Direction

The good news is that VMware gets it.  They bought Determina weeks ago, and acquired technology rights that can help them further harden their hypervisor.  So in a single fell swoop they’ve helped to enhance their already robust security eco-system and hardened their hypervisor to create a yet wider gap between them and their rivals. 

The core issue for the proliferation of virtualization into production environments is still the double-edged sword of change and its impact on the status quo security solutions that were never architected to defend such fluid environments.  Automation of patching helps close otherwise wide open vulnerability windows, but with virtualization those windows can open by accident or intent in seconds.   

We’re back to the signature tuning challenge: Do you press the patch button every hour, every ten minutes, every 30 seconds?  Do you set vulnerability scanners on auto-pilot and produce minute-by-minute reports 24/7? Do you dedicate IT resources to constant tuning?  Not unless you’re planning to set up your team as an outsourcing case study. 

That’s why I blogged earlier at Always On that virtualization is security’s wake up call.  Beyond setting the stage for the new data center of blade servers and commoditized processors it is forcing failing security solutions already out-of-breath keeping up with mutating attacks into new hardware limitations; a kind of ongoing, excruciating climate change that will force them to adapt or join the ranks of technologies that simply couldn’t keep up. 

Virtualization vendors are not in the clear either.  If virtualization platforms do not tackle the security issues head on with intelligent, flexible solutions that can operate on hypervisors with minimal footprints and latency they will not win over the data center.  Security is too important to production environments and widely deployed solutions are currently incapable of proper protection.  

The challenge for VMware, however, is less about security and more about education.  They have a security eco-system.  With proper security education, the widespread adoption of virtualization could play into VMware’s hands and give their formidable competitor’s additional and substantial barriers to entry.  Without education, security chats and excruciating politics between teams on a deployment by deployment basis across the marketplace could slow things down enough for competitor inroads. 

One of the key challenges for virtualization of the data center is its impact on IT teams not accustomed to working together or sharing responsibilities.  If VMware can accelerate the team process and educate both security and ops teams it promises to do something that both Apple and Novell couldn’t, deliver a crushing blow to a rival with a history of entering lucrative markets and then owning them. 

The good news is that virtualization promises enhanced security over complex, ASIC-driven physical infrastructures now passing traffic through complicated weaves of appliances stretched between servers and clients.  The bad news is that if the security and ops pros deploying virtualization do not grasp the nature of the impacts of virtualization on their deployed security systems, they will face unprecedented levels of vulnerability to attacks already known and in use by most of the hacker community. 

These aren’t hypervisor attacks, but attacks against known vulnerabilities in software running on hypervisors.  VM vulnerabilities already exist.  Unpatched VMs mean unprotected VMs. Security (and not the management appliance ecosystem) promises to be a critical differentiator in the virtualization of production environments, unlike the devtest environments where virtualization flourished.  Again VMware is in the lead with the best security eco-system across the virtualization platform players.

Yet we’ve seen similar leads evaporate quickly with a single misstep. And Microsoft and Citrix both recognize the significance of virtualization and the opportunity for substantial growth.   From this viewpoint, it is likely that security will be one of the key drivers of any virtualization-related shift in market cap between these three highly successful companies; as well as a key driver in the success of virtualization initiatives. 

The sooner organizations understand the importance of virtualization security the better for all of us… especially VMware.  Disclaimer: This letter represents my opinion and not that of my existing or former employers.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: