Virtualization is not only the focus of server consolidation and flexible resource management, it's also a potential new hub of datacenter security.
Hypervisors contain virtual switches that collect both application and network traffic. From that vantage point, VMware's ESX hypervisor can watch application context and traffic, while staying away from the network edge where the application's attack surface provides the most exposure, said VMware CEO Pat Gelsinger in a keynote address Thursday at Interop Las Vegas, run by UBM Tech, InformationWeek's parent company.
Security spending is one of the fastest growing areas of the IT budget, but it's not keeping up with proliferating threats, Gelsinger said in VMware's first keynote address to the annual networking, application deployment, and datacenter management conference.
"We see this as the most critical time in IT in the past 30 years," Gelsinger said. The datacenter must operate more efficiently, in a more automated fashion, and in a more secure manner. As hardwired devices get reconfigured as virtualized resources, there's an opportunity to supply "a new security enforcement layer," Gelsinger said.
[Want to learn more about big changes Gelsinger sees coming to the datacenter? See VMware's Gelsinger: Datacenters Face Tectonic Shift.]
To help explain such an approach, he called on Martin Casado, VMware's CTO for networking and security, to help explain the new security concept. Casado told attendees he formerly worked on network security for US intelligence agencies (which he didn't name), and said he's happy to have a new weapon in his security arsenal -- virtualization's hypervisor.
Inside the hypervisor is the vSwitch, or ESX Server's software switch, that moves traffic to and from the virtual machines served by a host server. Additional security intelligence can be added to hypervisor operations to inspect the traffic, watch for malware, guard against anomalies in application behavior, and block intruders.
Casado said the hypervisors that manage virtualized compute, virtualized networking, and virtualized storage are in the datacenter's "Goldilocks zone" for security management. It's isolated from the activity at the edge of the network where it's "too hot," but not buried so deep in the infrastructure that it can't supervise activity affecting applications ("too cold").
Network managers "like to put an agent at the endpoint of the network," noted Casado, but that exposes it to the large attack surface of end-user activity and running applications. A rules engine deep in the infrastructure can apply policies that reflect the security standards of the organization, but it's too far from the activity of running systems to know for sure what the context is.
"We think the hypervisor is in an ideal position to provide both context and isolation" for a new layer of watching security and managing activity in applications and on the network. Virtual machines, with their software-defined limits on what RAM, resources, and types of network access they may use, are easier to police individually than applications running in more general-purpose environments, he said.
Likewise, the future software-defined datacenter will have the ability to capture mapped-out secure operations and definitions of disallowed behavior for each virtual machine and apply them through the hypervisor. It wasn't clear from Gelsinger's and Casado's brief presentation what activities might still lie outside the surveillance of such a system or where new vulnerabilities might be inadvertently created. Nor was there any roadmap for when the new security enforcement layer might materialize in VMware's vSphere product line.
But Gelsinger was clearly trying to move the discussion of the software-defined datacenter forward by adding a new security function and financial incentive for adopting it. If software-defined also means more secure, then VMware will have an additional argument for the vision it's been trying to articulate the past two years.
In a separate session at Interop, Casado spoke about the future of network virtualization, a subject on which he's been a leader since he authored the OpenFlow protocol and founded Nicira, eventually acquired by VMware for $1.2 billion.
The network can be virtualized under VMware's NSX platform, he said, and such a network can be reduced in physical complexity. It would provide simple network functions as a physical entity, point-to-point connectivity, and packet replication. The more sophisticated features of networks no longer need to be embedded in the hardware. Instead, capacity planning, security policy assignment, and speed of throughput can be applied to the equipment as software decisions from a central controller.
The controller would run network-management applications that apply the rules that the network owner has decided are appropriate. Switches and routers might be reconfigured based on the nature of the applications currently running and their traffic loads. Instead of the perimeter of the network being the ultimate point of defense, defenses might be placed at several key junctures around the hypervisor and in the hypervisor, until each type of threat was detected and blunted.
Gelsinger ended his keynote address with a kind of warning: "Network virtualization is an unstoppable force in the datacenter," he predicted. Not he, his company, nor anyone else has the complete answer of how to implement virtualized networks with a new optimized, "ubiquitous" security layer. But he left little doubt that a lot of work is underway behind the scenes, both at VMware and at other software-defined network companies, to attack the problem in a new way.
Emerging standards for hybrid clouds and converged datacenters promise to break vendors' proprietary hold. Also in the Lose The Lock-In issue of InformationWeek: The future datacenter will come in a neat package. (Free registration required.)