Cloud computing and virtualization are poised to dominate security discussions for 2011. It stands to reason that as businesses and governments take their data centers and workloads to the virtualization platform, ensuring protection and compliance will be top of mind.
Cloud computing has been all the talk for the last two years or more and this trend is sure to continue as more and more businesses go to the cloud. For now, private cloud (also known as internal cloud) adoption is leading the way in terms of implementation dollars. For the purposes of this article, a private cloud is defined as infrastructure that is privately owned by an organization and extended to the end user or department either as a set of dedicated resources or as a service. Use of the private cloud is on a meteoric rise as organizations streamline their data centers to take advantage of the operating efficiencies of virtualization, the defacto platform of private clouds. Public and community clouds, as well as public/private hybrid models will continue to lag private cloud adoption in 2011 as the industry at large and regulatory bodies evaluate the security implications and administrative challenges of cloud computing environments that span businesses and individuals almost without restriction.
2. Virtualization security best-of-breed architectures emerge
Many companies have cited security concerns as the main blocker to virtualization and private cloud adoption. Paradoxically, virtual machines can be more secure than the physical servers they replace. Because virtual machines are purpose-built, virtualization security software can offer levels of dynamic and automated security that are unequalled in the physical security realm. As organizations become more familiar with hypervisor-based security and VM Introspection, the apprehension that may have stymied virtualization of critical workloads will be appeased. We expect that terms like “hypervisor-based,” “VM safe certified” and “VM Introspection” will become part of the 2011 vernacular of “must-haves” for virtual security architectures.
3. IaaS providers make per-VM security offerings standard
Many infrastructure as a service providers (IaaSs) have implemented security within their offerings, but they’ve done so using different approaches and with varying degrees of investment. As IaaS customer numbers surge in 2011, particularly among SMBs, IaaS providers will have to implement means for highly granular isolation of customers’ VMs. The reason for this is two-fold. Granular virtualization security regimes, particularly the hypervisor-based ones, allow for high-capacity virtualized data centers. This means that the IaaS provider can put more revenue-generating VMs on each host and therefore get more customers onto the same physical infrastructure without compromising security. Secondly, as more customers put security-intense data on hosted VMs, they will require their IaaS provider to validate that regulatory mandates for monitoring and access control (e.g., PCI, SOX, FISMA) are being met.
4. PCI DSS v2.0 accelerates virtualization adoption
When the PCI DSS released its latest version, it all but sanctioned the use of virtualization by defining a VM as equivalent to a physical server. For many IT directors, this will be the okay that they were waiting for to put their virtualization project back on this year’s to-do list. That means that, in 2011, virtualization adoption will get an uptick within many of the verticals that deal in credit card payments, including financial services and retail. This also spells a boon for QSAs with virtualization and VMware expertise.
5. Human error is revealed as the #1 security threat to VMs
We have all heard about the potential threats: take over the virtual machine, attack the hypervisor, spread infections from VM to VM, etc. Given recent statistics and adoption rates, there is no doubt that eventually virtualization and cloud computing specific hacks will make their way into headlines in 2011. However, the biggest risks to virtualized workloads will be plain old human error—that is leaving VMs unintentionally vulnerable to traditional exploits. According to a recent survey, the rate of change in a virtualized environment occurs at an astonishing pace (VMs are updated several times a day), making the likelihood of configuration errors in the virtualized environment extremely high. Since organizations are implementing private clouds well ahead of implementing purpose-built virtualization security, expect at least one big story on data loss and misuse due to a poorly configured or placed VM.
6. Architectures unifying physical and virtual security start to emerge
Customers implementing virtualization security will look for common policy and management across the physical and virtual domains to simplify management and reduce misconfigurations. Leading security vendors will respond by bringing new architectures to market that integrate security across both domains to offer more complete solutions. Integration options include common policies, management integration and backhauling processor intensive services to physical appliances.
The above six predictions are areas to watch as they are likely to catalyze action both among vendors and standards bodies.