Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: December 2011

Monthly Archives: December 2011

Security in the New Virtualized World…..The “Cloud”

Hi fellow security gurus….Ana Seijas from Security & Compliance Specialist team here at VMware. I wanted to bring you up to speed on some exciting things happening with virtual security and getting you on the Virtual Security Journey……

It’s been a few months since VMworld 2011 but security made a big splash!  So much so that I've been talking to a lot of customers about what they heard there.  With all the talk about cloud, virtual desktops and agility come new concerns for everyone on how are we going to secure these things we can no longer see or touch.  

I see the security industry as a whole still very immature when it comes to understanding virtualization and how it can be used to provide agility, better processes, more control and overall better security.  

I've been in security for well over 20 years and although security, compliance and governance have become critical to organizations, little has been done with it to take advantage of the new agile infrastructures customers are building.

Every company out there has some virtualization…and IT as a whole is changing to support the Facebook generation.  So IT has to move fast to provide the apps that customers want to consume instantly while still making sure to meet the security policies and requirements of so many regulations, while also keeping the hackers out and their brand intact.

VMware has lead the change in how we consume IT….servers, memory, storage and now desktops can all be virtualized.  So what about security!  

Well I believe VMware is leading the way there as well.   Last year at VMworld 2010, VMware announced the vShield suite of products and APIs and the beginning of a new way to consume security.   In the last year, not only have the vShield products been enhanced but 3rd party security vendors are now taking their products and not only making them virtualization aware but also taking advantage of the automation that this new infrastructure provides.   VMware has shaken the security industry and security vendors are hurrying to have the best products for the cloud era.

So what does that mean to customers and specifically to security teams in their organizations.  

For most customers, sometimes security is an afterthought, a burden to maintain…inflexible and the list goes on…. Why not build security right into the platform and make it transparent by automating it.  Security as a Service!

As customers begin to virtualize more of their tier 1 apps, security is beginning to get more involved.  As a security person I urge other security practitioners to get on the virtualization journey and learn how to do better security through virtualization.

Let me give you the top advantages of virtualization and how they can help with security:

1. Built in HA (High Availability) and FT (Fault Tolerance) for VMs and VMs running 3rd party security solutions
2. Isolation in ESX and ESXi is built in by design along with memory protection
3. Ability to automate disaster recovery with tools like SRM (Site Recovery Manager)
4. Ability to automate moving VMs causing malicious activity to a quarantined area using REST API's available in vShield products
5. Ability to automatic security processes with vCO (vCenter Orchestrator) plugins available for Active Directory, UCS, NetApp, SOAP and REST.
6. Automated compliance using vCM (vCenter Configuration Manager) to continuously monitor and remediate both physical and virtual environments.

At this year's VMworld, a slew of 3rd party security vendors were on hand showcasing their new virtually aware technologies….never mind the enormous amount of backup and availability products.

McAfee, Symantec, Trend, BitDefender, Kaspersky, and Sophos all made announcements or showcased their support for vShield Endpoint and agentless AV.

Lumension is also using vShield Endpoint for their whitelisting and blacklisting product.

Hytrust, CA, Catbird, all showcased virtualizaton aware security and compliance tools.

Sourcefire, NetOptics, McAfee, HP Tipping Point, are inspecting inter-VM traffic and showcasing network security solutions.

LogLogic, Splunk, and Envision showcased event management and correlation of vSphere events.

And the list continues to grow!  I suggest taking a look at these products that are bringing the same level of security to the virtual world.  Challenge the security vendors you have today to take the virtualization journey that the rest of your organization is on.

“Let’s get out of the weeds”

As part of VMware’s Security & Compliance Specialist team, we’re brought in to speak about a very wide range of concepts that extend from CPU architecture all the way up to the traditional tools like Firewalls, IPS’, Anti-Virus, and many others. Usually there’s some type of compliance question or concern driving the need to have a security conversation. And what most people don’t explicitly realize is that a discussion about security, whether physical or computer, always distills to the lowest common denominator being ‘trust’.

The concept of trust is an interesting notion. Trust is usually a faith or belief based emotion, and the hope that we hold for one another is that in matters of science and technology that trust is based upon some empirical evidence and well-informed reasoning. So obviously education is often our best methodology to assist customers with building that trust around our products.

Often the questions I receive are not about things like virtualized security products, like vShield, or the various API’s that have been developed. Instead the focus is most often on the vSphere platform itself. The reasoning behind this is mainly a lack of accurate information of sufficient detail available in the market. For several years VMware did a great job of building a secure architecture of vSphere but did not focus on advertising much of those design decisions, not because it wasn’t important but because it was not a topic our customers were expressing a need to have with us. Obviously as customers move through their own unique virtualization journey and move into Phase 2, Business Production, they are tackling security and compliance concerns around the more mission critical applications and data that are beginning to be virtualized. Having these conversations are also a pre-cursor  of things that need to be resolved prior to a company investing in a private, public, or hybrid “cloud” solution as it all relates back to how well a company can trust the technological controls that have been put in place.

Since I am so often asked questions about vSphere, that tell me the asker does not trust vSphere, or any hypervisor platform, I am frequently having a discussion on what I call “building a pyramid of trust”. Like any structure, the foundation is the most important part because without a well-formed base, in this case with regards to knowledge, it is highly unlikely the other pieces layered on top will be stable enough to continue adding more layers. In my pyramid, my base consists of the core constructs of virtualization. These are the Core Isolation Principles that describe exactly how the hypervisor is designed to separate out itself from the virtual machines and also what keeps each VM separate from one another.  Should these principles be violated, so would the isolation described by the very definition of virtualization.

To help explain the core principles I break apart the functions of the hypervisor into 4 key areas, CPU, Memory, Storage, and Networking. Each of these describe the physical functions that are abstracted into the VM’s themselves. The ways in which this abstraction occurs are very key concepts to fully grasping and understanding how we’ve developed our platform from the ground up with security in mind. It shows through in how we isolate specific CPU instructions, how our memory is layered, abstracted, and allocated, through the storage platform, and most importantly the protections guarding against remote exploit and arbitrary code execution. All of these things build defense in depth techniques that layer security in a virtualized environment.

Many security practitioners have built their careers focusing on more up leveled concepts of security, and their primary attention was never much directed to the physical hardware interfaces themselves. Much in the same way that server admins were not familiar with centralized storage and networking when we taught them how to virtualize over the last 10+ years. We are helping the security admins also break down their traditional barriers of understanding and now helping them to understand all of these other disciplines in the context of their day-to-day activities.

The interesting part is the resistance we face in educating security teams about all of these technologies and helping to build their trust in the technology. The experience thus far has shown that the typical US corporation is full of cliché terminology, which we’ve already known for years. Dilbert, The Office, SNL, all have made us laugh for hours at what we have become. Even with all this exposure to the ludicrousness of business clichés, I was taken aback a few weeks ago when an attendee at a meeting said we needed to “get out of the weeds”. It was obvious with that one statement that this person was not able to see the foundation of the pyramid being built. They were not willing to connect the dots and see how knowing the information being presented was able to answer all of their questions. Instead, they were using their pre-conceived notions that were founded on mis-information and FUD in the market to limit their ability to absorb the material in an educational context.

I don’t blame this person for their comment. In the day and age we live, time is precious and things happen so quickly it’s hard to keep up with changes in business without sacrificing too much personal time. We’re constantly being asked to make value judgments on which information is worthwhile to absorb vs deciding when it’s time to move on. For some of us, our thread of patience is stretched to the breaking point already.

After a few days had passed, the meeting organizer came back to me and said how grateful they were to have the conversation. They said the discussions that were sparked both during our meeting and in the days following has caused some very positive decisions to be made, mostly because of the comment made by that one individual to “get out of the weeds”. That was a key indicator for many other attendees that their co-worker was resistant to change and to use another cliché “unable to see the forest for the trees”.

This is not an all-too unique situation for us. In fact, it’s become more of a norm for our team to have initial education meetings followed a week or two later by another meeting to review the information again. The reason is that we’ve got to come back and reinforce and inspect that foundation of the pyramid so our audience fully builds their trust of our solution. We’re having great success in this education endeavor and we look forward to meeting with you and your teams in the future.





Rob Babb is a Senior Systems Engineer on the Security and Compliance Specialist team at VMware.