Virtualization demands new security weapons

Security in virtualized environments needs to be another layer in front of the protected zone

Greg Ness is a strong believer in virtualization. What the vice-president of marketing for Blue Lane Technologies, a software security company and VMware partner doesn't believe in is enterprises applying last-war security theories to the new world of virtual machines.

"It's like the Maginot line," he says, referring to France's line of defense against the Germans preceding WWII. "The line had two problems: it was static, and it assumed that allies on the northern border would hold their own."

Instead, the Germans spoofed an attack to distract the French, then went around the edges through Belgium and the Netherlands.

"The Maginot line was an over-investment in old technology, a perfect set up for the last war," he says. "What we need to address security in virtualized environments is another layer in front of the protected zone. We are seeing people who can mutate around static security partitions. As more data and assets are virtualized there will be more and more vulnerabilities."

In a recent interview, Chris Whitener, Hewlett-Packard's director of enterprise storage and server security, also raised some red flags regarding virtualization and security.

"It's a bad idea to have a situation where you can switch out the operating systems with no logging, no security," he says. "As well, virtual machine user code and password systems often don't integrate with the rest of the IT structure, including identity management structures."

Virtualization security practices are improving, with some vendors taking the lead on the education front. Patrick Lin, WMware's senior director of product management and product marketing said that best practices are a major focus.

But there are still challenges to be solved.

"Where is the machine, what is it connected to, what license is it running on, and how are we managing deployments?," asks Novell Canada CIO Ross Chevalier. In a virtualized environment it is easy to light up another machine and bring it online, whereas normally hardware would require a robust set of processes."

Ness agrees, seeing further risk applying hardware-centric thinking to a virtualized environment. "There is change in front of and behind the network perimeter for virtualization that will erode the value proposition for traditional security approaches," he says. "Decisions have to be made as to which assets should be prioritized. You don't protect your diamonds and toothbrushes in the same way. If you do, you'll then lose fewer toothbrushes and more diamonds."

One of the problems is that to "real-motion" a server may provide flexibility, but it also leaves the perimeter without knowledge of the IP-address location of the assets in need of protection. The challenge then becomes not to create policies that prove so cumbersome the benefits of virtualization are lost.

Virtual machines need to be tied in with security products, and the concern is that the security vendor community has been slow to see the risks associated with creating VMs on the fly.

The good news is that there are immense security advantages to virtualization, once attention is paid to the problem.

"The hypervisor can function as a strategic access point," says Ness, "and can help cover off the explosion in endpoints. Virtualization also allows us to take snapshots, to revert to previous versions."

Alex Vasilevsky, CTO and founder of Virtual Iron, a company that provides enterprise-class virtualization management software, believes that virtualized environments have the potential to be extremely robust.

"It's true that OS-hosted virtualization presented a wider surface for virus and malware attacks," he says, "but we run a bare metal hypervisor that takes advantage of advances by Intel and AMD. With native virtualization the interface is very narrow, unlike a traditional OS that has thousands and thousands of APIs."

From a security perspective, Andreas Antonopoulos, an analyst with New York City-based Nemertes Research, sees virtualization as providing short-term risk and long-term opportunity.

"The complexities of real-time migration of a virtual machine have not yet been addressed by security vendors. There is a new security market emerging where the hypervisor layer can be used to supplement and enhance security."

Antonopoulos echoes the advice of other experts that significant care has to be taken in deployment and segmentation. "VMware allows you to separate and compartmentalize applications, but these can also talk over the network without a firewall between them."

He is surprised there hasn't been a broader response in the security vendor community, particularly as virtualization has experienced such robust growth, and is finding new uses in the data center and labs.

"Cisco, Microsoft, and IBM have figured it out," he says, "but Symantec, McAfee, and smaller players are oblivious to virtualization. When I was at the RSA show, I saw hundreds of vendors with niche products, but only a handful that were directly dealing with virtualization."

This is because there has been too much of a network focus, and not enough of an understanding of how virtualization affects applications. For many years most of the attacks were at layers two, three, and four, with smaller companies focusing on the desktop and the network. Security companies, however, should be looking up stack at layers five to seven.

Alex Vasilevsky points out that virtualization is useful for sand-boxing and staging applications, that it is excellent for forensic analysis -- even allowing for play-back of zero-day attacks -- and that virtual honey pots can provide an envelope within which an OS attack can be observed and then analyzed.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Wilson

Network World Canada
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?