VMware has no doubt emerged as both an execution and vision leader when it comes to virtualization. Their recent IPO –even with their latest earnings announcement haircut- has blazed a trail leading from their devtest heritage straight to the multi-billion dollar production virtualization market.
Yet there is yet another dark horse element in all of this that promises to keep things interesting: virtualization security (virtsec). And by virtsec I don’t mean hypervisor security, although some pundits are still tapping their feet waiting for hypervisor attacks. I mean good old fashioned server security aimed at protecting data and applications running as VMs on top of the hypervisor.
It’s fairly early for hypervisor attacks, and the virtualization players are taking steps to harden their relatively lean and modern code. Compare lean and modern code to the VM panoply of older applications, databases and operating systems with thousands of existing vulnerabilities and its easy to understand where the real virtsec security action will be focused.
As virtualization moves from the safe sanctum of test and development to production environments, security risks rise significantly. All that change and flexibility in devtest had minimal consequences for security because the moving and state-shifting VMs were well-isolated from the public-facing network. That is not the case in production data centers facing the public network.
Changes can be Painful for many Security Solutions
In production environments effortless movement and changes of VM states (snapshot, revert, online, offline, VMotion, etc) can generate extreme operational challenges for critical activities like vulnerability scanning, patching and security. Vulnerability scans, a critical tool for tracking software vulnerabilities, can become obsolete in seconds.
Bottom line: The constant change enabled by virtualization places dynamic demands on the most commonly deployed static security solutions, even in small virtualized production infrastructures. Combine this new level of flexibility and state change with multiple VMs running multiple applications and operating systems on a single piece of hardware.
You now have a complex community of VMs changing states, moving and interacting with each other all on the same server. They can move across servers and join new percolating communities. Security solutions architected for manual tuning and tracking of exploits and vulnerabilities are not well-architected for this new world of dynamic processing fabrics.
The promise of flexibility is the promise of catastrophe for static security appliances and those who have to maintain, update and tune them for VM movement. While VMware has carefully recruited eco-system players who can address these more dynamic environments, most virtualization pros do not understand the principals of network security and most network security pros are just beginning to grasp the significance of virtualization.
The “wall of logos” strategy that worked so well for VMware on the devtest side will need to be more focused and more proactive on the production side; CSOs will want to know what is recommended in order to secure their new fluid environment, versus that they have lots of choices. When it comes to aggressive growth into the data center, all the tricks, flips and tools that make software more nimble and powerful (the eco-system we were talking about that gives VMware a competitive advantage) will not matter unless the infrastructure can be effectively secured from attack.
Yet –as I’ve stated- many of the leading network security vendors have been caught flat-footed by virtualization and are either unprepared or un-motivated. They are also not entirely excited about how the world of virtualization could impact their hardware business. I’ve blogged about this several times at www.archimedius.net and Always On.
Some vendors will have to convert ASIC-driven IPS solutions onto commodity processors on blade servers, taking up sizable chunks of server/blade processing power and introducing unacceptable levels of latency, in a nonsensical effort to match suspicious virtual server traffic with a growing library of exploit and vulnerability signatures. That game promises to get even more complicated and resource-consuming as hackers shift to mutating attacks.
Taking the challenges a step further into virtualized data centers in essence made up of blade server fabrics: just how many enterprises will be returning to the ASIC security world with bigger boxes, bigger signature libraries and the promise of constant tuning and traffic challenges and complexities while the rest of their infrastructure becomes more powerful, more flexible and more efficient?
Similarly, how many ASIC-based security players (and their hardware-centric channel partners) are likewise taking a hard look at the pure software model of virtualization (and much lower margins) and seriously contemplating “serving up their children and their channel allies” to deliver a core technology that in its current state is likely unfit for commoditized processing? That’s an Innovators Dilemma that might even make Clay Christensen cringe.
That’s why I think that the network IPS market as we know it may taper off as virtualization moves to the production data center and vendors focus long term on desktop protection, which is their legacy. New software architected IPS vendors with application/protocol context win the day. Server security emerges as a key virtsec requirement.
That’s why articles in InformationWeek and Network Computing online are either particularly interesting or particularly disturbing, depending on the logo at your headquarters. The IT press is abuzz with excellent pieces that are digging up the security challenges and opportunities inherent in virtualization and shocking the traditional old guard. Federal Computer Week weighed in as well, joining a drumbeat across IT publications that kicked off last spring when Gartner and Nemertes published papers warning about the risks and exposures of virtualization in production environments. Andi Mann at EMA has also been talking about the challenges in InfoWorld and other publications.
Security expert and visionary Chris Hoff has been blogging about the topic as well, with some of the best insight available anywhere. His trench perspectives on internal company dynamics and vendor posturing are a refreshing contrast to some of the vendor puffery and head fakes. His blog is probably one of the best on the topic.
VMware is Taking Steps in the Right Direction
Rest assured that VMware gets it. They bought Determina months ago, and acquired technology rights that can help them further harden their hypervisor. So in a single fell swoop they’ve helped to enhance their robust security eco-system, hardened their hypervisor and created a wider virtsec gap between them and their rivals. They also keep virtsec issues focused on VMs and not the hypervisor, which in reality is a substantial security opportunity in the hands of security-savvy CSOs.
The core issue, therefore, for the proliferation of virtualization in production environments is still the double-edged sword of change and its impact on the status quo security solutions that were never architected to defend such fluid environments. Automation of patching helps close otherwise wide open vulnerability windows, but with virtualization those windows can open by accident or intent in seconds. Now we’re back to the signature tuning challenge: Do you press the patch button every hour, every ten minutes, every 30 seconds? Do you set vulnerability scanners on auto-pilot and produce minute-by-minute reports 24/7?
That’s why I blogged earlier at Always On that virtualization is security’s wake up call. Yet, if virtualization platforms do not tackle the security issues head on and educate their customers their rates of adoption in production data centers (which is a sizable portion of the growth market) risk sagging and affecting P/E multiples. With proper security education, the widespread adoption of virtualization could play into VMware’s hands and give their formidable competitor’s additional and substantial barriers to entry.
After all, virtualization promises enhanced security over complex, ASIC-driven physical infrastructures… if it’s done right. Security is a critical differentiator in production environments that could shift the power and momo to whomever gets it “firstest with the mostest.” Currently VMware is in the lead at this point with the best security eco-system across the virtualization platform players. Yet we’ve seen similar leads evaporate quickly with a single misstep. And Microsoft and Citrix both recognize the significance of virtualization and the opportunity for substantial growth.
I’m the VP Marketing at Blue Lane Technologies and this is my personal opinion.