Year in Review – Virtualization Security

2011 saw a shift in how virtualization security was viewed and it showed in the way companies teamed up to address those needs. Even so, the most basic of issues still exist: The thought that once you virtualize you are more secure, and the lack of general protection for the management constructs of a virtual or hybrid cloud environments. These two concepts have hindered adoption of virtualization security in 2011. Even so, there has been a steady shift through out the year as more and more companies talk about virtualization security. VMware has definitely lead the pack with its vShield Product line and its unified view of virtualization security. Other hypervisor vendors are also discussing virtualization security through their ecosystem, if not directly.  2011 saw many companies forging their own partnerships to augment and compete in this space. Will the hindrance continue? Will these partnerships continue into 2012? Or will we see more consolidation of the virtualization security market?

In 2011 there were several key announcements about team ups and products as well as some new architectural issues that have arisen that need to be addressed. Here is a recap of some of these stories:

Central to many of the partnerships seen in 2011 is one company, HyTrust, their product augments all virtual environment security practices and is in a unique position to augment but not compete, so partnerships make sense for HyTrust.  I saw HyTrust’s reach via its partners growing in 2011 as they now have some big fish in their partner pool: Cisco, CA, RSA, Trend Micro, etc.

Yet the other virtualization security vendors are also working through partnerships with each other and VMware. Catbird is reselling vShield App, while Trend Micro provides the first and still only vShield Endpoint integration. Yet, this same vShield Endpoint with its vSCSI integration technology was picked up by data protection companies such as ZeRTO to be their primary mechanism for data replication into and out of the cloud. Which still makes VMware the enabler of virtualization and cloud security tools of the future. They started with enabling VMsafe and have improved this to use a faster transport into and out of the VM.

Even with all these partnerships, attacks still abound, as the lowest handing fruit of virtual environment security is being overlooked by most environments: The segregation of the management layers from all else!

The PCI DSS 2.0 standard that came out in 2011 is the most proscriptive regulatory compliance and leaves one crucial decision in the hands of the auditor, and that is whether a virtual environment is mixed-mode or not by default, which could lead to interesting security decisions as PCI compliance is implemented. In either case, the PCI organization has put forth the concept that virtual environments are now in scope for PCI compliant workloads and need to be considered. This is a large step forward in the area of compliance!

However, there are still some vendor hold outs that claim once you virtualize you are more secure. This is a false statement and should be ignored. You must secure your virtual environment regardless of such statements else you have a false sense of security. I must say however, that I saw a marked decrease in this belief through 2011, I hope it disappears entirely in 2012.

It was a big year for virtualization security, but not in new fangle concepts but the steady growth and integration of existing thoughts and concepts into the virtual environment.  Visibility of the internals of a hypervisor have grown to allow for better security tools and decisions to be made such as the concept of fail-safe, where security tools and architectures do not fail-open or closed, but safely with increased defense in depth. Trend Micro’s Deep Security product contains built-in fail-safe controls, while others require this to be architected prior to deployment by increasing defense-in-depth.

Virtual Environment and all security is all about defense-in-depth and 2011 saw increases in tools to provide a unified defense-in-depth not only for the virtual environment but the hybrid cloud. Tools from VMware, Vyatta, AFORE Technologies, Trend Micro, and HyTrust as well as many others all increase defense-in-depth for the virtual environment, but they also require good architectures before deployment.

2011 continued 2010’s push for security tools that see more, do more, and integrate within the virtual and cloud environments which not only includes hypervisors and everything they can see, but the physical environment as well. The physical environment integrates tighter with the hypervisor with security concepts and tools extending from the virtual into the physical and visa versa; specifically in the area of virtual and physical networking. Physical networking has gotten a whole lot smarter about virtual constructs and therefore can be authoritative about what is on the network using tools from Cisco, Brocade, Arista, and others. This tight integration between virtual and physical networks also provides another layer of defense.

Even with all these advancements in 2011, it is still all about the Architecture. We need to continue to architect security into the virtual and hybrid cloud environments from the beginning and not try to bolt on security after the fact. This is not lost on the partnerships being formed, which I see continuing through 2012. I expect some consolidation between companies but more partnerships being formed over all.

Everything starts with Architecture! And you need to consider these ecosystem partnerships when architecting security solutions for your virtual and cloud environment.