• 06/13/2012
    2:50 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Virtualization Security: Where's The Innovation?

Server virtualization creates new security threats while turning the hypervisor into a network black hole, hiding traffic from traditional hardware defenses--problems a new breed of virtualization-aware security software tackles head-on.
Virtualization is standard operating procedure. It also breaks conventional defense mechanisms by hindering visibility and control, creating new attack avenues, increasing complexity, and blurring administrative roles between network and server teams. Our 2012 InformationWeek State of the Data Center Survey shows there's no going back, even if we wanted to: Half of 256 respondents will have at least 50% of their production servers virtualized by the end of next year; 26% will have 75% or more. So it's unfortunate that innovation in the virtualization security market is stalled. The holdup is twofold: First, the lack of a publicized breach targeting the hypervisor has made IT complacent. And second, there's an unwillingness among vendors to take on VMware; it owns most of the market and controls the APIs, a big deal given the scant enterprise adoption of rival server hypervisors.

That leaves us with a limited number of major products for hypervisor network security. Two of them, VMware's own vShield and Juniper's vGW (Virtual Gateway, acquired from Altor), use the APIs provided under VMware's VMsafe security program. Cisco, the other big player in this market, bases its technology around the proprietary Nexus 1000V virtual switch, which was developed in cooperation with VMware but isn't dependent on VMsafe. Cisco hasn't completely hitched itself to VMware's wagon; it has hinted that the technology will be usable with other hypervisors.

If you run a non-VMware hypervisor, you should be looking at Vyatta's Network OS product, which works with Citrix XenServer and Red Hat KVM, and, like VMware's vShield Edge, includes NAT and DHCP servers. Vyatta also adds a sophisticated routing engine with support for IPv4 and IPv6 dynamic routing protocols like BGP, OSPF, and RIP.

Granted, the non-VMware cadre is small for now, as some version of VMware is the primary hypervisor platform for 90% of respondents to our latest InformationWeek Virtualization Management Survey. But the market could get more dynamic should open source cloud systems like OpenStack (which uses KVM) and CloudStack (which uses Xen) gain traction. Microsoft has made some storage and migration enhancements to Hyper-V in a bid to appeal to enterprises but doesn't yet have anything comparable to VMsafe for network security, although third parties are starting to fill the gap. And don't count out startups, like Bromium, led by former Xen architect Simon Crosby, that are focused on virtualization and cloud security. A radically new platform could raise the competitive bar by making secure virtualization a table-stakes feature. Crosby hints at the opportunities for Bromium when he says he believes that in five years, most IT workloads will be in the cloud, whether public or private, and that the hypervisor's "sole value will be security."

Still, for now, VMware's vShield line sets the standard for the VM security market. More important, it effectively defines three segments that align with logical network and virtual machine boundaries--intra-VM (Layer 2 within a virtual switch); inter-VM (Layer 3, between physical hosts in a private cloud); and guest OS (application control within the VM). We delve into each layer in our full report, but this structure is a great baseline for IT teams to plan their security strategies.

Unintended Consequences

Our full report on next-generation VM security is available free with registration.

This report includes 16 pages of action-oriented analysis. What you'll find:
  • Breakdown of virtual server security products from Cisco, Juniper, and VMware
  • Why VMware's three-layer model makes sense
Get This And All Our Reports


re: Virtualization Security: Where's The Innovation?

Hi Kurt - this is a great article - very insightful. I like the challenge for innovation. It is hard to see what's going on with all the noise and FUD there's not a lot of clear progress for virtualization or "Cloud" security.

You are right that most enterprises leverage VMs to build clouds and most of those VMs are hosted on VMware. While that may be true from a number of organizations (thus number of people operating these clouds) there are actually a small number of organizations that run massive clouds with thousands of machines in them. These guys have tried VMware and even Citrix and RedHat and Microsoft but many are looking for open source alternatives.

What they find is a lack of security controls available for these "non-VMware" platforms.

Look at what VMware based environments have going for them; in addition to the various hypervisor based solutions you mention like endpoint, firewall, and antivirus there are robust solutions from companies to provide disk encryption and improve the control of the hypervisor layer.

Hytrust has partnered with new server and network hardware vendors like Cisco to also secure the UCS and Nexus platforms with policy based controls that can scale with federation to multiple datacenters. They've shown innovation by partnering with CA Technology to offer an integrated access management solution for both physical AND virtual cloud environments.

High Cloud Security offer on the fly encryption of the VM disk so destroying a VM in the cloud is as simple as deleting a key.

The challenge will be to see the use of these third party security solutions for VMware expanded to include the other more popular cloud environments. I say more popular because of the quantity of systems being used at amazon, facebook, google, and others that are NOT vmware based. There's a shift in the industry to continue saving money by leveraging open source technology as much as possible.

Software Defined Networking is another innovation many VMware shops are not seeing because it is based on open source technology VMware and Cisco have not yet integrated into their products. The Open vSwitch is standard now in any LInux 3.3 kernel OS and also shipping with Citrix Xen Server and Microsoft Windows 8. This brings functionality like the VMware Distributed Switch to other cloud infrastructure and enables scale beyond what VMware can offer.

It may be hard to find but the innovation IS happening. What can we do to call out the innovators?

I b e n