While competitors watch and wait VMware has engineered the equivalent of a Normandy beach landing in production data centers. The company once known for heightened devtest flexibility and server utilization has become the leader in virtualization security. VMware CEO Diane Green is talking to the press about the virtsec opportunity while its competitors fiddle.
A year ago virtualization security was a whisper at best, thanks to a handful of visionary analysts, pundits and editors who understood the security implications of a new hypervisor layer inside the data center. VMware had their fingers on the pulse of the conversation and launched VMsafe at VMworld in Cannes.
Despite the network security world being slow to announce virtsec products, VMware was able to get many of these vendors to announce partnerships based on API access that would eventually lead to products. That promise led to a remarkable up swell in interest, as I blogged months ago.
Part of the challenge faced by netsec vendors is the inability of their solutions to peer into the hypervisor layer and deliver protection without tying up substantial hypervisor resources. That is easier said than done for signature-based AV and intrusion prevention products, for example, that have been fed for years by the dedicated hardware upgrade game that fueled remarkable revenue growth in an otherwise lackluster overall IT spending environment.
That’s why I think the first order outcome of VMsafe has been the emergence of virtualization-lite in the data center. Virtualization-lite is the use of existing network security appliances to protect individual hypervisors and zone them off from one another. The highly flexible, rack and stack promise of virtualization gets partitioned into multiple VLANs.
While VLAN spaghetti is not optimum from either a security or virtualization business case standpoint, it does give VMware and the traditional network security players a competitive beachhead. Virtualization-lite allows VMware into the data center, socializes virtualization with a new array of enterprise network professionals and allows for some additional operations flexibility over and beyond the previous physical server infrastructure.
It also allows the network security players (vendors and enterprise pros) to play with the hypervisors and gain valuable experience in real settings. Virtualization-lite minimizes emerging security requirements and management burdens, and limits the change and flexibility to within well-defined domains.
At the end of the day, virtualization-lite is only a beachhead. The faster that VMware can make a more aggressive business case for the energy savings and flexibility benefits of hypervisor meshes, the faster that it will grow more lucrative data center deals and the more distance it will place between itself and competitors. That will require more security than virtsec-lite; it will require comprehensive solutions that can protect VMs without the heavy hypervisor loads and elaborate hairpins between the hypervisor layer and multiple security appliance toll booths.
And these hypervisor VLAN configurations are still vulnerable to the same old attacks against unsafe software that will never be safe enough. Add in a mix of mobility and mutation and you get a fluid attack surface with a higher propensity for surprises. The Verizon Breach Report identified plenty of implications for virtsec challenges over and above those already present in less flexible physical infrastructure. More change and less visibility even within partitioned VLANs isn’t a long term answer, it is only a temporary position as vendors prepare their next moves and enterprises get a taste of the payoff.
As VMware has acknowledged with words and actions, virtsec is strategic to data center virtualization.
Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: www.archimedius.net . These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.