Posted by: Greg Ness | June 27, 2008

Cloud Computing and the VirtSec Barrier

Many of my recent blogs at Archimedius have talked about cloud computing from a macro economic perspective, with anecdotes about small towns mixed in with lessons from world economic history.  Now let’s talk about why every company with an IT operations department hasn’t yet flown into the clouds to save money and enhance agility. 


A farm made up of racks and stacks of hypervisors is incredibly cost efficient, and can allow servers to be brought up and down on short notice in order to scale to meet user demand.  That kind of flexibility is a powerful IT operations enabler, especially for businesses with significant user load spikes. 


Without virtualization (or cloud computing) organizations have to overprovision servers to support peak; they even keep unused servers running simply to ensure system availability for potential peak usage.  That consumes plenty of extra electricity and has caused crowding and data center expansion for many enterprises, which also means extra real estate expense.


If server farms were interconnected around the world in a massive cloud, servers could chase cheap power and only consume electricity when needed.  That would be a massive boost in server efficiency and reduction in energy consumption, as articulated in Follow the Moon (or whatever).


Yet despite the opportunities to go cloud there are still technical hurdles; and one of those hurdles is virtualization security.  Sharing processing power among many organizations, applications, etc would require a new level of security enforcement well beyond the systems in use today to protect physical servers.  Most were created to protect known, static servers, and deployed at an outer perimeter.  Very few are capable of looking at traffic inside a hypervisor and protecting virtual servers (VMs) from each other.  Many use older deep packet inspection engines to scan traffic for growing lists of attack signatures, which is very compute intensive, which means sizable hypervisor resources being tied up in security tasks.


Because these solutions are compute intensive enterprises would have to create elaborate hairpins between hypervisors, agents and multiple hardware security appliances in order to properly protect the hypervisor layer.


As a result, most enterprises that have virtualized portions of their production data centers have implemented what I’ve called virtualization-lite.  There is very little flexibility and cost savings with virtualization-lite relative to virtualization and cloud computing, but it’s the most common response to the protection of VMs by older network security equipment.   


Virtualization security is therefore one of the factors restricting the benefits of data center virtualization, and would be an even a larger impediment to cloud computing; the benefits of clouds depend on higher levels of flexibility and server motion.


The established network security and virtualization players need to tackle this issue in order to drive the wider adoption of virtualization and cloud computing.  They need to deliver deeper and more robust hypervisor inspection and traffic management capabilities, without having to resort to hypervisor hogging and movement restrictions driven by multiple, specialized security agents or elaborate appliance hairpins.


There is no question that the major players will eventually deliver on the promise of an elegant, comprehensive virtsec solution.  Technologies have come to market to address the unique requirements of VM security and hypervisor layer enforcement.  The key is their rate of adoption into mainstream virtualization projects.  According to security expert Mike Rothman that adoption will take years.  Yet the virtualization, security and cloud computing players could reap massive gains as a result of cloud computing.  They could establish leadership and considerable revenue momentum as the world’s data centers are re-architected.


Yet the market will have to walk before servers can fly.





Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004. My recently launched personal blog is: .  My blog also appears at, John Furrier’s new 24 hour blogzine.  These are all my opinions, and do not represent the opinions of employers, spouses, kids, etc.  They also do not represent any stock recommendations of any kind.

Bookmark and Share

Subscribe to RSS headline updates from:
Powered by FeedBurner

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: