Companies are adopting virtualisation technologies at a faster and faster rate. They are virtualising servers, desktops, storage, networks. But one aspect of infrastructure has been lagging — very few companies address the growing demand for virtualised security.
Virtualised security is security technology that uses virtualisation principles to create a flexible, logical security layer inside a virtualised datacentrer. Because of the unique dynamic nature of a virtualised environment, traditional static security measures are often insufficient. Not only is it hard to manage static security devices next to a pool of dynamic virtual servers, but the security often gets in the way of the benefits of virtualisation.
Encapsulation and portability of virtual machines free your virtual servers, allowing them to move from server to server. But if the security context can't follow the servers, you're forced to keep them stuck in place. Fortunately, the virtualised security market is getting a lot more attention this year.
Up to this point, most virtual security offerings have been either virtual-appliance based or have deployed an agent inside a virtual machine. That gives them flexibility but also only limited access to virtual machine "internals". A new solution from VMware may change the table-stakes and inject momentum into the nascent virtual security industry. The recently announced VMSafe programme will be a framework and API for virtual security services to interact with virtual machines and the hypervisor.
The API lets a virtual security tool inspect and filter all of a virtual machine's memory, CPU, processes, storage and network traffic. That gives virtual security solutions the ability to act on a virtual machine while maintaining complete isolation from any nasty stuff running inside. Unlike agent-based solutions that run on the operating system and can be disabled or compromised by malware, virtual security solutions would lie beyond the reach of the operating system.
Virtual security technologies have two effects. In the short term, they allow companies to overcome the difficulties of securing a virtual environment. Security engineers can use virtual security to build solutions that support virtual servers without compromising on important virtualisation features such as resource-pooling and live migration (VMotion, XenMotion etcetrea) of virtual machines. In the longer term, virtual security can use the principles of virtualisation to take security to a whole new level.
It's not just about working well with virtual machines, but introducing whole new concepts to security. Like the idea of moving a security context, in near-real-time, from one security device to another (FWMotion? IPSMotion?) or orchestrating the provisioning of a dynamic security policy, alongside the other resources that are created for a virtual machine (server, storage, networks etc). So ask not what security can do for virtualisation, but ask instead what virtualization can do for security!