Virtualization.com

News and insights from the vibrant world of virtualization and cloud computing

Search Results for: virtualization security

Research and Markets Releases New Report on Virtualization Security

by Leave a Comment

Research and Markets has announced the addition of the “Virtualization Security: The Early Stages of a New Battleground” report to their offering. Here’s the run-down they’ve provided via press release:

With the rush to adopt virtual technologies, the security of virtualization has become a primary concern – yet few understand the security implications of this disruptive innovation. In this report, EMA provides guidance for IT practitioners seeking to secure their virtual environments. With a simple, five-phase approach to virtualization security as the centerpiece of this study, EMA takes an initial look at virtualization threats and vulnerabilities, and considers the security benefits of virtualization. Market insight from EMA’s 2008 virtualization survey of over 600 enterprises takes a sampling of the steps organizations are – and are not – taking today to secure virtual environments. Until virtualized security measures mature, this report focuses on what enterprises can do today to secure virtualization and seize the unique opportunity to integrate security early in the adoption of this game-changing technology – before it’s too late.

The rapid adoption of virtualization technology has created multiple benefits for IT organizations. Advantages such as the reduction of cost through more efficient resource utilization are obvious; however, these benefits can quickly be negated if virtualization opens a door to a major security incident.
Many researchers have argued about the security implications of a migration towards IT virtualization. Some say that virtual solutions increase the risks faced by an organization, others argue that there is no impact at all, while still others argue that the implementation of virtualization allows organizations to actually reduce risk. The reality is that virtualization can do all of these, depending on the way it is designed, implemented and used. It is therefore imperative that IT managers have a high-level understanding of the security issues that can affect their virtual environments, and of the approaches that can address those issues. Through this understanding, enterprises can ensure that the delicate balance between functionality and security results in the greatest business benefit with the fewest risks. Moreover, executives can assure that their organizations take advantage of the opportunity that virtualization offers to put security at the forefront and thus avoid future security issues and costs.

In this report, an initial look at the emerging challenge of securing virtualization, as well the security benefits of this disruptive technology. The reader will be presented with an introductory view of threats and vulnerabilities affecting virtual environments, as well as recommendations for pursuing a simple five-phase process that can be tailored to any environment in order to implement virtual solutions in a secure manner. Through infrastructure consolidation strategy and design, administrative process management, network strategy and design in extending the layered security model, configuration management, and risk assessment, this five-phase approach addresses specific virtualization security risks in order to strengthen both the security and operational benefits virtualization offers the business.

A Round Table on Virtualization Security with Industry Experts

by 3 Comments

Virtualization security or ‘virtsec’ is one of the hottest topics in virtualization town. But do we need another abbreviation on our streets? Does virtualization require its own security approach and how would it be different from the physical world?

Different opinions fly around in the blogosphere and among vendors. Some security experts claim there is nothing new under the sun and the VirtSec people are just trying to sell products based on the Virtualization Hype. Some see a genuine need to secure new elements in the infrastructure, others claim that Virtualization allows new capabilities to raise security from the ground up and cynics claim it is just a way for the Virtualization industry to get a larger piece from the security budget.

So our editors Tarry and Kris set out to clarify the different opinions, together with the support of StackSafe, they organized a conference call with some of the most prominent bloggers, industry analyst and vendors in this emerging field.

On the call were Joe Pendry (Director of Marketing at StackSafe), Kris Buytaert (Principle at Consultant Inuits), Tarry Singh (Industry/Market Analyst Founder & CEO of Avastu), Andreas Antonopoulos (SVP & Founding Partner at Nemertes Research),Allwyn Sequeira (SVP & CTO at Blue Lane), Michael Berman (CTO at Catbird), Chris Hoff (Chief Security Architect – Systems & Technology Division and Blogger at Unisys) and Hezi Moore (President, Founder & CTO at Reflex Security)

During our initial chats with different security experts their question was simple: “what does virtsec mean?”. Depending on our proposed definition, opinions varied.

So obviously the first topic for discussion was the definition of VirtSec:

Allwyn Sequeira from Blue Lane kicked off the discussion by telling us that he defined Virt Sec as “Anything that is not host security or that’s not network-based security. If there’s a gap there, I believe that gap – in the context of virtualization – would fall under the realm of virtualization security. ” He continued to question who is in charge of Inter-VM communication security, or how features such as Virtual Machine Migration and Snapshottiting add a different complexity to todays infrastructure.

Andreas Antonopoulos of Nemertes Research takes a different approach and has two ways of looking at VirtSec “How do you secure a virtualized environment” and in his opinion a more interesting question is “How do you virtualize all of the security infrastructure in an organization” Andreas also wonders how to call the new evolutions “What do you call something that inspects memory inside of VM and inspects traffic and correlates the results? We don’t really have a definition for that today, because it was impossible, so we never considered it.” He expects virtualization to change the security landscape “Just like virtualization has blurred the line between physical server, virtual server, network and various other aspects of IT, I see blurring the lines within security very much and transforming the entire industry.”

Hezi Moore from Reflex Security wants to search for actual problems. He wants to know what changed since we started virtualizing our infrastructures. “A lot of the challenges that we faced before we virtualized; are still being faced after we virtualized. But a lot of them got really intensified, got much more in higher rate and much more serious.”

Michael Berman from Catbird thinks the biggest role of VirtSec still is Education, “..and the interesting thing I find is the one thing we all know that never changes is human nature.” He is afraid of virtualization changing the way systems are being deployed with no eye on security. Virtualization made it a lot easier to bypass the security officers and the auditors. The speed at which one can deploy a virtual instance and a bigger number of them has changed drastically regarding to a physical only environment, and security policies and procedures have still to catch up. “We can have an argument whether the vendors are responsible for security, whether the hypervisors about who attack servers. The big deal here is the human factor. “

Chris Hoff summarizes the different interpretations of VirtSec in three bullets:

  • One, there is security in virtualization, which is really talking about the underlying platforms, the hypervisors. The answer there is a basic level of trust in your vendors. The same we do with operating systems, and we all know how well that works out.
  • Number two is virtualized security, which is really ‘operationalization’, which is really how we actually go ahead and take policies and deploy them.
  • The third one is really gaining security through virtualization, which is another point.

Over the past decade different Virtualization threats have surfaced, some with more truth than others. About a decade ago when Sun introduced their E10K system, they were boasting they really had 100% isolation between guest and host OS. But malicious minds figured out how to abuse the management framework to go from one partition to another. Joana Rutkowska’s “Blue Pill” Vulnerability Theory turned out to more of a myth than actual danger. But what is the VirtSec industry really worried about?

It seems the market is not worried about these kind of exploits yet. They are more worried about the total lack of security awareness. Andreas Antonopoulos summarizes this quite well “I don’t see much point in really thinking too much about five steps ahead, worrying about VM Escape, worrying about hypervisor security, etc. when we’re running Windows on top of these systems and they’re sitting there naked”.

Allwyn from Blue Lane however thinks this is an issue…certainly with Cloud Computing becoming more popular, we suggest to seriously think about how to tackle deployment of Virtual Machines in environments we don’t fully control. The Virtual Service Providers will have to provide us with a secure way to manage our platforms, and enough guarantee that upon deployment of multiple services these can communicate in a secured and isolated fashion.

Other people think we first have to focus on the Human Factor, we still aren’t paying enough attention to security in the physical infrastructure, so we better focus on the easy to implement solutions that are available today, rather than to worry about, exploits that might or might not occur one day.

Michael Berman from Catbird thinks that Virtualization vendors are responsible to protect the security of their guest. A memory Breakout seems inevitable, but we need to focus on the basic problems before tackling the more esoteric issues…He is worried about scenarios where old NT setups, or other insecure platforms are being migrated from one part of the network to another, and what damages can occur from such events.

Part of the discussion was about standardization, and if standardization could help in the security arena. Chris Hoff reasons that today we see mostly server virtualization, but there is much more to come, client virtualization, network virtualization, etc. As he says: “I don’t think there will be one one ring zero to rule them all.”. There are more and more vendors joining the market, VMWare, Oracle, Citrix, Cisco, Qumranet and different others have different Virtualization platforms and some vendors have based their products on top of them.

In the security industry standardization has typically been looked at as a bad thing, the more identical platforms you have the easier it will be for an attacker, if he breaks one, he has similar access to the others. Building a multi-vendor or multi-technology security infrastructure is common practice.

Another important change is the shift of responsibilities, traditionally you had the Systems people and the network people, and with some luck an isolated security role. Today the Systems people are deploying virtual machines at a much higher rate , and because of Virtualization they take charge of part of the network, hence giving the Network people less control. And the security folks less visibility

Allwyn Sequeira from Blue Lane thinks the future will bring us streams of Virtualization Security, the organizations with legacy will go for good VLAN segmentation and some tricks left and right because the way they use Virtualization blocks them for doing otherwise. He thinks the real innovation will come from people who can start with an empty drawing board.

Andreas Antonopoulos from Nemertes Research summarized that we all agree that the Virtualization companies have a responsibility to secure their hypervisor. There is a lot of work to be done in taking responsibility so that we can implement at least basic security. The next step is to get security on to the management dashboard , because if the platform is secure, but the management layer is a wide open goal, we haven’t gained anything.

Most security experts we talked to still prefer to virtualize their current security infrastructure vover the products that focus on securing virtualization. There is a thin line between needing a product that secures a virtual platform and changing your architecture and best practices to a regular security product fits in a Virtualized environment.

But all parties seem to agree that lots of the need for VirtSec comes from changing scale, and no matter what tools you throw at it, it’s still a people problem

The whole VirtSec discussion has just started, it’s obvious that there will be a lot of work to be done and new evolutions will pop up left and right. I`m looking forward to that future So as Chriss Hoff said “Security is like bell bottoms, every 10-15 years or so it comes back in style”, this time with a Virtualization sauce.

Listen to the full audio of the conference call!

Tresys Ships VM Fortress, Aims To Meet High End Desktop Virtualization Security Needs

by Leave a Comment

Tresys Technology, a provider of technology and services for customers with high security requirements, today announced (PDF) the availability of Tresys VM Fortress, a patent-pending secure desktop virtualization technology for organizations seeking strong security and operational integrity.

VM Fortress (not to be confused with vFortress, a company recently acquired by Propalms), aims to give organizations with high-end security needs the ability to utilize desktop virtualization without compromising protection by strengthening the guest operations system and the virtualization software itself to withstand the most threatening of compromises.

According to the press release, VM Fortress benefits and market differentiators include:

  • Strong Endpoint Security: Providing strong, independent control over system resources by leveraging the flexible mandatory access control (MAC) features provided by Security Enhanced Linux (SELinux) to limit damage caused by exploitable vulnerabilities in virtual machines
  • Decreased Operational Costs: Removing the barrier of entry to desktop consolidation where security assurance is a high priority; leveraging stronger MAC security reduces the damage and costs to desktop environments should they become attacked
  • Increased Data Confidentiality & Integrity: Providing separation for the user and the application on a per VM basis, ensuring that data is not leaked across VMs and that applications cannot interfere with each other while sharing the same hardware resources
  • Increased Operational Integrity: Limiting the effects of attacks and errors, so that vulnerabilities in one VM cannot be exploited to gain access to other VMs or to the host operating system
  • Ease of Management/Deployment: Systems can be deployed over the network from a central installation server and VMs can be remotely downloaded on demand by the user

A Conversation About Virtualization Security, The Quotes

by 2 Comments

Last week, an interesting conference call took place with several industry leaders in the virtualization security (virtsec) area, initiated by Virtualization.com. The panel included:

  • Joe Pendry, Director of Marketing – StackSafe,
  • Kris Buytaert – Infrastructure Architect; Open Source Expert; Principle Consultant Inuits; Blogger & editor at Virtualization.xom,
  • Tarry Singh – Sr. Consultant, Blogger, Industry/Market Analyst; Founder & CEO of Avastu & editor at Virtualization.xom
  • Andreas Antonopoulos, SVP & Founding Partner – Nemertes Research
  • Allwyn Sequeira ,SVP & CTO – Blue Lane, Michael Berman, CTO – Catbird
  • Chris Hoff, Chief Security Architect – Systems & Technology Division and Blogger – Unisys
  • Hezi Moore, President, Founder & CTO – Reflex Security

We’ll publish the highlights from our conversations shortly, but as a teaser, here are some of the most interesting quotes:

“I don’t see much point in really thinking too much about five steps ahead, worrying about VM Escape, worrying about hypervisor security, etc. when we’re running Windows on top of these systems and they’re sitting there naked.”

“We’re dealing with virtualized storage, while nobody will ever raise their hand saying they’re a security expert when it comes to that.”

“More than 75 percent of the people we asked, how are you securing virtualized environments? Their answer was VLANs. That’s where we stand today.”

“This was a network guy and his email went: WTF, you need 30 VLANS on one server? That’s the first time he became aware of virtualization. That team wasn’t even working with him. And the first inkling he had when he got a request that was just so out of the norm he just didn’t know what was going on.”

“To me, security is like bell bottoms, every 10-15 years or so, it comes back into style.”

Watch Virtualization.com for more!

Who Owns Virtualization Security? The Hoff/Crosby Debate

by 5 Comments

We’ve decided to cross-publish a blog post by Gregory Ness, VP of Marketing for Blue Lane Technologies, because we think it delivers a good insight in the whole Hoff/Crosby debate about virtualization security (virtsec, if you will).

Gregory NessLast year when I blogged about the impact of virtsec on the world of static security I focused on how virtualization could degrade the effectiveness of security solutions. Since then we’ve seen a surge of vendor marketing around virtualization security (virtsec), from a growing corral of one trick pony start-ups with various Barney announcements (“I love you, you love me…”) to the likes of the world’s leading security companies joining VMware’s unprecedented, visionary VMsafe initiative.

Last month I blogged about data center security’s key requirements, which included virtsec. My point was that virtsec will require more intelligence and agility than perimeter network security, because it will need to be deployed within the hypervisor layer and will consume hypervisor resources. Simply moving deep packet regular expression inspection engines into the hypervisor layer could add big hypervisor footprints and/or unacceptable levels of latency. These problems aren’t new; they’ve been hidden by faster and faster dedicated hardware at the network perimeter.

That’s why I found a recent virtsec blog exchange between Hoff and Crosby so disconcerting. Two brilliant guys with two very different perspectives are arguing about the ownership and accountability of virtualization security. Chris Hoff is a security guru with a sizable following who has been among the most vocal on the virtsec challenge. Security blogger Rothman calls Hoff Captain Virtual because he has been on a tear when it comes to the blog debate around virtsec.

Simon Crosby is leading the virtualization charge for Xen/Citrix and he insists that virtualization platform vendors should stay focused on securing their platform versus the new infrastructure they’re enabling. Like Chris, Simon is one very smart guy with a deep technology background in virtualization. And from Simon’s perspective he doesn’t sound unreasonable.

The virtualization security debate thus far has had so many issues swept underneath it by various parties that it resembles a lumpy rug. Simon and Chris are exposing some of the lumps as they humor each other with comments about smoking cigars from the wrong end and the following (from Hoff):

“Focusing only on your little patch of grass is short-sighted and it won’t work. Just like it hasn’t worked in the past. It’s a disaster waiting to happen, and you’re enabling it”. – Hoff

The problem isn’t that these two very smart guys disagree; it’s rather that this disagreement promises to play itself out on a micro-level in enterprises around the world, as I commented last year in “VM Security- The Keys to the Virtualization Kingdom.” And no one stands to win, except those hoping for a slow adoption.

Perhaps Rothman is right to suggest that security will stay tactical and reactionary when it comes to virtsec, because that has been the recent history of netsec on many fronts. Yet if virtsec isn’t done right it could jeopardize the very flexibility and efficiency that virtualization enables. Strategic virtsec is an enabler of growth; tactical virtsec is a rocky road.
Rothman’s scenario seems to anticipate the rocky road: the slow and grinding deployment of hypervisors in production stretched out for years, as tactical decisions and budgets respond to new risks and events driven by cycles of hacks, reactionary regulatory responses and internal operations and security discussions. Feels a lot like the status quo today, doesn’t it? I hope he’s wrong.

The colorful and spirited debate between Hoff and Crosby is very symbolic of the issues we’ve discussed here since my initial virtsec blog in Feb 2007.

Unfortunately I think this debate risks becoming a metaphor for production data center virtualization; it feels to me like two different worlds colliding in a potentially myopic haze of finger-pointing and original sin debates. That scenario will not help Citrix/Xen virtualize production environments, and I think that is why Hoff’s points bear such weight. And I’m not sure that Crosby gets this given his thoughtful and understandable Mother of All Misunderstandings response to Hoff.

I think the mother of all misunderstandings is about to play itself out as “a funny thing happened on the way to the datacenter” scenario. When Caesar crossed the Rubicon he knew his security profile would change, but he still underestimated the Senate. If Citrix doesn’t show leadership (ala VMware and VMsafe, etc.) and instead talks about security as “other people’s problems” its growth in the data center could experience a thousand cuts Caesar style as internal conflicts and strife within customers (between the Hoff’s and Crosby’s) could demonize the incredible and undeniable power of virtualization to enhance data center security.

The virtualization and security vendors can either lead on this issue as an opportunity to enhance security today or merely create awareness around the new risks and dynamics and talk about far-off solutions that may one day work when the market matures. One strategy will lead to the faster deployment of hypervisors in production; the other will fulfill Rothman’s prediction.

Virtualization is a massive opportunity to escape the cycle of attack followed by tactical/regulatory response and establish a new order, with security pros getting powerful, flexible new capabilities to protect systems. That will require leadership and new thinking and a full appreciation by those who don’t want to relive the past. Security may turn out to be strategic to virtualization in ways that it couldn’t be strategic to the network. The hypervisor layer is perhaps the most substantial strategic security opportunity in many years. Let’s hope we leverage it to its fullest.

Trend Micro Enters Growing Market Of VMware Virtualization Security Providers

by Leave a Comment

Trend Micro, a global leader in Internet content security, has announced a number of innovations in security solutions for VMware virtualized environments which it will debut at the 2008 RSA Conference in San Francisco.

Trend Micro logo

The prototype technology consists of a virtualization security solution that operates in a VMware ESX 3.5 environment, scans for infected machines and remediates any that are found. With this technology, Trend Micro intends to provide greater protection for VMware virtual machines.

Trend Micro is also announcing that its enterprise security products for the endpoint, gateway and server are supported in VMware environments. This enables joint customers to gain the same level of support for Trend Micro products running in VMware virtualized environments as they would on physical hardware.

From the press release:

Trend Micro is integrating the recently announced VMware VMsafeTM APIs into its security technology in an effort to enable channel partners and customers to enhance the security of their VMware environments. VMsafe technology protects applications running on virtual machines in ways previously not possible in physical environments. The VMsafe APIs allow vendors to develop advanced security products that combat the latest generation of malware. VMsafe technology integrates into the VMware hypervisor and provides the transparency to prevent threats and attacks such as viruses, Trojans and keyloggers from ever reaching a virtual machine. The Trend Micro brand of security software will have the ability to run isolated from, and at a higher level of privilege than, the target malware. This will allow offline VMware virtual machines to be scanned and remediated prior to being reactivated.

“While organizations frequently use virtualization to help save energy costs and lower administrative IT expenses, they also have an opportunity to leverage this technology for improved security,” said Punit Minocha, vice president of business development for Trend Micro. “Most security solutions in the market underperform in virtual environments so, together with VMware, we want to help our customers to take advantage of the cost benefits of virtualization and to improve their organization’s security profile at the same time.”

VMware-support for existing Trend Micro products is effective immediately. For a complete list of these products, please visit www.trendmicro.com/go/virtualization. Current VMware-supported products use the existing licensing model. Trend Micro customers who purchase these versions and switch their deployments to VMware can do so at no extra cost or software. This provides customers a choice of running the applications on standalone hardware or on virtual environments, depending on their IT needs. Certain exceptions may apply.

The new Trend Micro technology securing virtualized environments is expected to be available in the second half of 2008.

[Source: SYS-CON]