The Virtualization Practice

Virtualization Security

Virtualization Security focuses upon end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds. Virtualization Security starts where the cloud and virtual environments begin: the end user computing device. ...
We follow the user through the virtual and cloud stacks until they reach the application the user wishes to use to retrieve the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application while maintain strict control of management interfaces. As such virtualization security looks into all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.

The Virtualization Security Podcast on 10/21 was the third in a series of Virtual Desktop Security discussions we are having. The special guest panelist was Chris Mayers of one of the Chief Security Architects for Citrix, the makers of XenServer, XenClient, and the FlexCast solutions. FlexCast provides an all encompassing method to provide virtual desktop and applications that include the following mechanisms:

Let us look at each of these mechanisms in a bit of detail then discuss how they work to provide Security and how to secure them.

The Virtualization Security Podcast on 10/7 was the second in a series of Virtual Desktop Security discussions we will are having. The special guest panelist was Simon Graham of Virtual Computer, the makers of NxTop a client side hypervisor based on Xen. On this podcast, we went into the details of NxTop.

The engineers at Virtual Computer have thought about nearly everything when it comes to a Client Hypervisor. NxTop operates as a standalone or as a centrally managed client hypervisor. The difference is fairly stark. I feel that most people in the Enterprise unless this is a one off situation would want to use the managed client hypervisor.

If we are going to start over, why not really start over and reinvent the entire infrastructure and management software industries in the process. That way we end up with an infrastructure that was actually designed for the dynamic, agile, and scalable use cases that we are trying to address with a green field approach, and an appropriate set of management tools as well. Is this going to happen? You can bet that there are already VC funded startups in stealth mode working on it.

Does Public or Private make a difference to Cloud Security?

When we talk about Cloud Security, the main concept is to separate, as an example, Coke from Pepsi. This implies that Tenant’s cannot impact the availability of each others data, the integrity of that data, and the confidentiality of that data. But what does this actually mean? Does this apply to all types of clouds in the same way?

There are three types of cloud families: Private, Hybrid, Public. There are at least 3 types of clouds: SaaS, PaaS, and IaaS. Do the same rules for one cloud family work for all cloud families? as well as for the types of clouds?

I believe the answer is yes.

Christofer Hoff (@Beaker) and I had a short discussion on twitter the other day about the VMware Cloud Director (vCD) security guidance. We both felt it was a bit lite and missed the point of Secure Multi Tenancy. However, I feel even more strongly that people will implement what is in the vCD Guidance, vBlock Security Guidance, and the vSphere Hardening Guidance, and in effect have a completely insecure cloud. These three guides look at the problem as if they were singular entities and not as a whole.

The Virtualization Security Podcast on 9/16 was the first in a series of Virtual Desktop Security discussions we will be having. The special guest panelist was Bill McGee from Trend Micro who helped us to understand their implementation of Deep Security 7.5’s Anti-Virus and Anti-Malware (AV collectively) within the virtual desktop.

Trend Micro’s product makes use of enabling technology within vShield Endpoint to provide offloaded AV and Anti-Malware scanning of virtual machines using only one set of rules and one VM to do the actual scanning. Removing the per VM rule set and processing that currently takes place within the VM.

VMware’s 5 Businesses and the “New Stack”

VMware dominates the enterprise virtualization platform business with vSphere, and is poised to create a vSphere compatible public cloud ecosystem around vCloud. Layering Management software on top of these platforms is a logical progression up the value stack, as is layering an applications platform (vFabric) on top of vSphere and vCloud. VMware’s end user computing strategy seems to be too tied to VDI to be able to break out of the fundamental limitations associated with this approach, and will likely leave the larger question of how to manage the next generation desktop to the previously mentioned startups and perhaps Symantec.

Virtualization Security was one of the BIG Deals at VMworld with several announcements:

* VMware vShield Edge, App, and End Point
* Trend Micro will have the first product making use of vShield End Point
* Cisco Virtual Security Gateway (VSG)
* HyTrust and their growing list of technology partners

But the biggest news is that Virtualization Security is finally on the radar of most if not all C-level as it is now seen as the gate to entering the cloud. But before we can solve the cloud security issue we have to solve the virtualization security issues. VMware’s announcement has the most impact on the virtualization security ecosystem. At once they are competing head-to-head with some vendors while providing a platform to use for other vendors.