Why Do We Need Virtual Security?
A new class of products called "virtual security" has emerged to tackle the security challenges posed by virtual deployments.
Virtualization has proven incredibly effective at improving operational agility, reducing IT operating costs and lowering data center power and cooling expenses. For these reasons, enterprises world-wide are continuing to heavily invest in virtualization despite the severe economic down-turn affecting most other IT sectors.
Virtualization was first popularized by VMware with a workstation product aimed at developers. Instead of purchasing several PCs per developer, VMware created a similar environment using virtual machines on a single PC. VMware, quickly recognized that the benefits of virtualization also applied to servers and launched its ESX product in 2001. It was first embraced by R&D departments as a cost saver for test and development servers.
The early years of server virtualization were mostly about "test-and-dev". Little attention was paid to securing this new infrastructure. The virtualized applications were not mission critical, and developers generally disliked the restrictions that would be imposed by implementing a security policy. Security best practices were not implemented, nor fully developed, to protect these initial deployments.
As server virtualization and its multitude of benefits became more widely recognized, other departments began adopting virtualization. Eventually, a myriad of virtualized applications were implemented across HR, Finance, Marketing and Sales. Today, many organizations are looking to virtualize most of their data center to realize the benefits of increased agility and lower IT operating costs; some companies actually plan to be 99% virtual in the coming years.
Unfortunately, in the rush to virtualize the industry never took pause to recognize the new security issues that come along with the adoption of this new infrastructure. Security best-practices are still an elusive concept, as they were never fully developed in the early "test-and-dev" deployment days. As more mission-critical and externally-facing applications (i.e, DMZ) go virtual, it is imperative for the industry to implement security controls to protect these deployments. Some common risk factors include mixing VMs of different trust-levels (e.g., QA and Production, R&D and Finance) on a single physical host, with no security monitoring or inspection of the network communication amongst these VMs. This problem is exacerbated by Live-Migration as VMs can dynamically move around the data-center, making unintentional trust-level breaches more common and very difficult to track.
Fortunately, a new class of products called virtual security has emerged to tackle the security challenges posed by virtual deployments. Purpose-built virtual security solutions closely integrate with the virtual environment, and permanently attach a security policy to each VM even as it moves to another physical server through Live Migration. By permanently locking down each VM to its intended use (e.g., only allowing port-80 traffic to a web server), an enterprise can achieve defense-in-depth while still retaining all the agility and benefits of virtualization. In fact, by leveraging the unique capabilities of virtualization, virtual security products can combine new techniques such as VM introspection (i.e., looking inside a VM from the hypervisor) along with network controls to deliver innovative security capabilities. Gartner analyst Neil MacDonald recently referred to this innovation as "virtual exploitive" in his blog posting about the development stages of virtual security.
By properly embracing virtual security, companies can actually make their virtual data center more secure than its physical counterpart.
Read the previous VirtSec entry:
“Top Threat: Conficker” by Altor Engineering