The rush toward virtualisation of internal enterprise computing resources and cloud computing can have many advantages, such as server consolidation, but it's largely outracing traditional security and identity management practices.
That's leaving huge gaps, a sense of chaos and questions about where security products and services should be applied in the world of multi-vendor virtual-machine (VM) hypervisors.
"Virtualisation will radically change how you secure and manage your computing environment," Gartner analyst Neil MacDonald said this week at a Gartner Security and Risk Management Summit in the US. "Workloads are more mobile, and more difficult to secure. It breaks the security policies tied to physical location. We need security policies independent of network topology."
Gartner estimates almost half of x86-based server workloads are virtualised today, with VMware the clear market leader, but with Microsoft Hyper-V on the rise and Citrix a contender. Gartner advocates that enterprises plan to move to a private-cloud architecture. But at the same time, the consultancy acknowledged management tools and security really haven't risen to meet the occasion.
"The hypervisor will be less secure than the physical systems they replace," MacDonald said. "The integrity of that bottom layer is paramount. The hypervisor layer you don't want compromised."
Today there's often a "lack of visibility and controls on internal VM-to-VM communications," said MacDonald. "Should VM No. 1 be talking to VM No. 3? How do you know they're not attacking? The traffic never comes out onto our physical network." Some companies are willing to live with this uncertainty, others not, MacDonald said.
But it's questions such as these that demand to be addressed to find out what options exist to tackle virtualisation and cloud security. In MacDonald's view, there needs to be a wide range of security controls in the VM, such as virtual firewalls, intrusion-prevention systems and antivirus, in addition to load balancers and traffic shapers.
Increasingly, vendors such as Altor, Cisco, Juniper, IBM, Hytrust, HP, Enterasys, McAfee, Catbird, StillSecure, Sourcefire, Reflex Systems and StoneSoft are offering virtual-appliance options for firewalling, monitoring and intrusion-prevention, for example. For the VMware platform, "Check Point has gotten furthest along," said MacDonald. "After a slow start, finally the big security vendors are making progress on their virtual-security controls."
VMware has provided VMSafe APIs to facilitate hypervisor-based "introspection" so that multiple software agents are no longer required. The need to deploy and run agent software has traditionally "been the bane of our existence," MacDonald acknowledged. But there are still a lot of questions about exactly how this works.
Trend Micro, seen as the No. 3 player in antivirus behind Symantec and McAfee, has been the fastest to embrace some of VMware's ideas on this, including support for VMware's latest security APIs, vShield in its Deep Security product that can perform A/V scanning for vSphere. Trend Micro has been charging less for VM-based A/V software, perhaps figuring "it has nothing to lose," MacDonald said.
The downside of the Trend Micro Deep Security approach with vShield, though, is that "stub code" for VMware is still needed to make it work and a hypervisor extension, plus it's for Windows only and it quarantines but does not remove malware infection; it only does anti-malware scanning, MacDonald said. And the possible drawback with vShield, which has the software taking on the role of firewall, is that it's so specific to VMware vSphere, customers will end up with "another silo."
The transition to more virtualisation-focused software-based security controls, though now filled with uncertainties, is still expected to occur, and though only deployed "in the single digits today," by 2015, Gartner predicts 40% of security controls, such as antivirus, will be virtualised. This will happen, MacDonald added, despite the fact that vendors such as Cisco and Juniper have been dragging their feet because they like to sell "overpriced physical hardware."
At this point, the main idea is to "treat the virtualisation platform as the most important IT platform in your data centre, from a security and management perspective," MacDonald said.