Comment: Are we really securing virtualisation or just virtualising security?

Collier asks: "Can we not just amend what we already have and call it our virtualisation solution?"
Collier asks: "Can we not just amend what we already have and call it our virtualisation solution?"

When VocalTec released the first commercial Internet phone software in 1995, a new market sector was born. It was duly baptised as “convergence” and, for many years, that buzzword was plastered across just about every mailer, every advert and every trade show going. Some 15 years later we are now seeing the birth of a new “convergence”: virtualisation is dovetailing ever more with security.

So is this a strong enough development to spawn a new industry, particularly when the two component parts are such fast-moving, innovative (not to mention massive) markets in their own right?

Anyone visiting this year’s Infosecurity Europe Exhibition saw that there are two approaches emerging: you can either secure virtualisation or you can virtualise security. The difference is much more than just semantics and could prove to be very significant for organisations grappling with these two key IT issues.

Many would say the pressure is on the IT security vendors to make their play. The virtualisation vendors have a responsibility, of course, to write stable, secure code but the onus is very much with the security specialists to shore up this new way of working. There are some security vendors doing this (securing virtualisation), but the majority are simply adapting existing technology to suit this brave new world (virtualising security).

So is one approach better than the other and how do we know it’s not just all vendor marketing hype? When creating technologies specifically for virtualised environments, is this new layer of abstraction (the hypervisor) really enough of a game-changer to send us scuttling back to the drawing board to recreate from scratch? Or can we not just amend what we already have and call it our virtualisation solution?

Securing virtualisation

Certainly in the case of hardware, if you want to make the most of your (often very expensive) virtualisation solution, it is strongly advisable to look at deploying dedicated virtualisation appliances rather than standard everyday servers. The required CPU to RAM ratio needs to change as RAM becomes an enabler to high virtual machine (VM) density.

The quality of network and storage components is vital, as there are no moving parts in a purpose-built virtualisation appliance and input/output (I/O) between appliance and storage is, therefore, critical. Disaster recovery and hardware failover concerns take on ever-increasing importance the more you consolidate.

But this is just the hardware platform – security is arguably much higher up the scale of importance. Trend Micro is one vendor taking things seriously. They bought Third Brigade, a specialist in virtual server security, in the spring of 2009 and have since incorporated their technology and patents into the current product, Deep Security.

Check Point did not acquire but built their VPN-1 VE (Virtual Edition) pretty much from scratch – albeit protecting VMware-based servers only (thus far).

Tripwire is another vendor with strong, bona fide claims to a niche in the “securing virtualisation” market, along with other slightly more specialised players such as Catbird or Altor Networks.

Virtualising security

All of these vendors recognised early that new challenges are spawned by the inherent convenience virtualisation brings with it and they met those challenges head-on. Other vendors have not taken things quite so earnestly; releasing a virtual appliance of your product does not necessarily constitute securing virtualisation. Rather more, it’s akin to virtualising security.

Admittedly VMware, still the undisputed king of server virtualisation, does not exactly shout from the rooftops that virtual servers require specialist security products and therefore there is no mainstream for it yet, but this does not mean specialist products aren’t required, particularly from a compliance perspective. The problem, currently, is that there is no universally acknowledged best practice for securing one physical server running ten virtual workloads, as opposed to ten servers running one workload each.

The two scenarios must, surely, be treated differently. VM sprawl, change management and knock-on compliance issues, USB sticks big enough to fit entire virtual machines, inventory and asset management, identification of infection sources, ease of infection outbreak between virtual machines on the same hardware.

All these issues, and others, require specialist attention and, with the exception of a minority, security vendors may not currently be giving this the attention it deserves. Out of the 324 vendors at this year’s Infosecurity Europe show, only 16 ticked the separate virtualisation box. And some of those claims were dubious at best.

Let’s not be too hard on vendors just yet though. Virtualisation, believe it or not, is still not in mass adoption. It has only been in the last couple of years that virtualisation has begun filtering through from the testing and development world into mainstream use, where Internet-facing servers become a factor.

Most of the individual security challenges companies face with virtualised worlds may still be in front of us. The PCI-DSS was set up to specify agreed best practices for those taking card payments over the Internet and, if necessary, force companies to increase levels of security.

Perhaps it’s time for the virtualisation industry to develop its own set of standards that will provide companies and users with a framework for working in a secure, virtualised world?

Rupert Collier is product manager for virtualisation at COMPUTERLINKS, a next-generation distributor based in Newmarket, Suffolk. Since joining in 2005, he has worked with a variety of virtualisation technologies, most notably as product manager for Citrix.

What’s hot on Infosecurity Magazine?