Security in the Virtual World
There is a popular saying among Texas residents who are not native to the state: “I wasn’t born in Texas, but I got here as fast as I could.” That pithy statement speaks volumes about the importance that transplanted Texans place on living in their adopted state. Yet, even though they have embraced the culture of Texas, they can never gain the “native” status that is a source of pride for so many natural residents.
This phrase also serves as an appropriate analogy for the information security world as it applies to virtualization. As organizations have adopted virtualization to gain operational efficiencies, they have also transplanted traditional physical world security models and technologies into their virtualized environments. This was done out of necessity; there simply were not models or products that fully considered the differences between physical and virtual infrastructures. Yet when the traditional models and products were implemented, the usual result was lowered security posture and reduced efficiencies instead of the sought after increase.
But in typical fashion, as problems became more evident, solutions began to arise. Security professionals and product manufacturers started evolving existing security practices and products into a more native virtual state. Let’s look at an example of this growing trend that we heard people talking about at VMWorld 2012 last week: the changing of security models and technologies from the angle of a security control that is fairly universal – segmentation. Controlling access to different servers that perform critical functions and house sensitive data is a basic tenet of any security program, whether the infrastructure is physical or virtual. And, when considering the best way to segment a network, many IT professionals – especially those versed in physical security models – will default to using virtual local area networking (VLANs). However, the use of VLANs within the virtual networking infrastructure, while tempting, can result in significant management challenges. A much more efficient method is to create true boundaries via firewalling. This also adds an element of security that is welcome in multi-tenant or “compliance-heavy” environments.
It’s important to note that if the policy of using firewalls instead of VLANs is implemented, the firewall product needs to be able to effectively and efficiently handle the load. Essentially, the evolved virtually native security model is still not very effective if security product manufacturers do not develop technologies that are also virtually native. And until recently, the only options for firewalls in a virtual environment – physical firewalls or non-native virtual device firewalls – could eliminate the efficiency advantages of a virtualized environment.
The good news is that firewall vendors now can create products that are native to the virtual infrastructure. That ability comes from integration into the hypervisor, which makes the products “aware” of virtualization. This increases efficiencies by allowing such things as keeping traffic within the same host server and performing “per-virtual machine” firewalling while maintaining the integrity of the virtual infrastructure. In fact, because a primary goal of virtualization is to gain efficiency through the consolidation of hardware resources, one of the highest evaluation considerations for security vendors should be their level of hypervisor integration.
The lesson here is this: security models and technologies that were developed with only the physical world in mind don’t easily fit into the virtual landscape. In fact, they can cause big problems with security and efficiency. However, as the adoption of virtualization grows, the progression of the state of virtualization security will continue. The move into the virtual security world has begun, and strides have been made to bring the models and technologies into a real native state.