Hello All,

Rob Randell here from VMware's Security and Compliance Specialist team.  For those that don't know about our team and what we do, here is a quick rundown on our mission.  The mission of our team is to work with our customers to help them understand how moving to virtualization and the cloud with VMware can help them become more secure and compliant than in the physical world, as well as provide them with the knowledge necessary to deploy their virtualization infrastructures and clouds in both a secure and compliant manner.  In short, we are out in the field talking to folks on a day to day basis about all things VMware security.  You should start seeing regular posts here from our team on these topics.  We'll introduce each member of the team as each of us makes a post.

It’s been a few weeks now since the RSA and HIMSS Conferences where there were a number of interesting announcements with regards to virtualization security from VMware partners.  This is very good news for VMware customers who are concerned about the security implications of moving to virtualization and the cloud.  All of these solutions are key to securing your workloads in a more efficient and virtualization aware way.  What really has me excited though is the story around securing the desktop and what can now be done to gain all of the standard benefits of moving to a virtual desktop solution, but also the ability to provide a new level of security for our desktops in a way that we haven’t been able to before.

First off, let’s talk about the actual announcements:

I would first like to discuss the Imprivata and Teradici announcement regarding the strong authentication integration for PCoIP Zero Clients for VMware View.   In essence what this provides is the ability to use strong multifactor authentication to VMware View where users can walk up to any thin client anywhere on their premises, pop in their Smartcard (or CAC/PIV in the Federal space) or other biometric authentication and gain secure and uninterrupted access to their desktop.

The next announcement that came at the RSA Conference was from HP TippingPoint, who has announced integration that provides IDS/IPS to the virtual environment like they do today, but also leverages the vShield products (Edge and App) to provide the network trust zoning.  These solutions integrate today using the vShield APIs which is demoed by Dave de Valk from HP in this video.  What is really interesting though is that there is work being done to make this a single pane of glass solution with TippingPoint leveraging the vShield APIs to manage both their virtual IDS/IPS, but also the vShield products leveraging the vShield APIs even more than they do today.  This gives you a great solution for managing both IDS/IPS and Firewalling at the hypervisor from a single pane of glass.

Announcement number three came from Kaspersky Labs and their intention to provide a vShield Endpoint based AV solution.  Today only Trend Micro is shipping a vShield Endpoint solution, but more are on the way from the other AV vendors and now other vendors such as Kaspersky and Sophos jumping on the bandwagon. 

Somewhat related to this announcement was the release of a study sponsored by Trend Micro and performed by the Tolly Group that shows the benefits of moving away from an agent based approach to file system based AV to vShield Endpoint solution.   It shows huge benefits in utilization as well as great density improvements for the number of virtual machines running on a host.  

OK…so what does this all mean you may ask?

Well, a lot in my opinion.  First, it shows that the options for security products that are purpose built for virtualized workloads are growing.  What I find more exciting is that we are now to the point where we can truly provide better security by moving our workloads to virtualization through the use of introspection technology that allows us to take our agents out of our desktops thus providing security through the hypervisor. This is very exciting in and of itself.  Everybody talks about virtualization and cloud security in the context of just that, “the cloud”.  And we can do some amazing things in this area.  One area that I don’t think gets enough talk is that of the virtual desktop or VDI.  For VMware this is our VMware View product set.

Take the first announcement I mentioned above from Teradici and Imprivata.   This really ramps up the ability for the user to gain access to their virtual desktop from where ever they may be at the time (of course we can control where they can have access from), along with a very strong means of knowing that the user that is supposed to be accessing a virtual desktop is strongly authenticated using this technology.

So, now that a user is into their virtual desktop, the next question is what resources can they access based on their role from that virtual desktop.  This is where vShield App comes into play.  vShield App when used alongside VMware View can provide us with the ability to restrict access to specific resources based on the user themselves .  In other words we can enforce policy based on the user that logs in.   In a follow-up to this blog, I will walk through in detail how this can be setup.

You may say that this is all well and fine, but I have requirements to ensure that some form of IDS/IPS solution is available to protect my desktop and server workloads as well.   And like vShield provides for firewalling, you’d also like to be able to have this type of protection for VM to VM traffic.  This is what the announcement from HP TippingPoint represents.   With tools like this, now we can start seeing that true layered approach to security that we have had in the physical world for years, but now you can get much more granularity in something that is much easier to manage than agent based solutions.   It also shows how vShield not only delivers an out of the box solution, but also provides instrumentation for 3rd party security solutions to run more optimally and efficiently in the virtual world.

Another note is Trend Micro and IBM are both doing IDS/IPS with as part of their virtualization security solutions and have been doing this for awhile now.  We are also working with other IDS/IPS vendors to provide similar functionality.

So what is the point of all of this?  In short, the point is that there is a lot of activity going on in the virtualization security space.  We really barely scratched the surface of what is out there and available today.  The goals of this post were to shed some light on the latest announcements made in the recent weeks and add a little commentary and show a little but powerful use case.  I hope you found it useful and like I mentioned earlier stay tuned for more to come on this topic and more with regards to virtualization and cloud security from the rest of the Security Specialist team here at VMware.