Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Ten Criteria for Evaluating Virtualization Security Solutions

VIRTUALIZATION SECURITY – TEN CRITERIA BY WHICH TO EVALUATE YOUR VIRTUALIZATION SECURITY

VIRTUALIZATION SECURITY – TEN CRITERIA BY WHICH TO EVALUATE YOUR VIRTUALIZATION SECURITY

Although security practitioners know the requirements and functionality, which define each criterion for the physical network, not nearly as much is known or understood about the parameters that make for a sound virtualization security solution choice. If this describes you and or your organization, then the following may be helpful as a quick reference starter guide in your efforts to best secure your virtualized workloads.

The following are perhaps every security technology evaluator’s top ten criteria, that is: scalability, fault tolerance, ease of administration, performance, security strength, compliance capability, visibility, total cost of ownership (TCO), interoperability and extensibility.

Virtualization Security Vendors

1. Scalability – Whether your newly virtualized datacenter has two VM physical hosts (e.g. VMware or ESX servers) or two hundred, it is almost certain to grow. As you add physical hosts and VMs you’ll want your security to keep pace. In other words, with large numbers of VMs or VM clusters, the limiting factor should be the capacity of your virtualization environment, not the security solution protecting it. If you are placing VM hosts in disparate geographical locations, the virtualization security solution should maintain a single centralized view of the virtual network and conduct policy enforcement independently of VM or physical host location. Finally, if you are using vMotion, or Live Migration, virtualization security should be applied so that it does not limit the ability of VMs to freely, and securely move throughout your virtual environment.

2. Fault Tolerance – Virtualization security needs to be in the path of traffic in between VMs in order to be its most effective – i.e. control access, suppress malware – but that means it must also be implemented such that business critical communications are not impacted by security performance limitations or functional failures. What this means is that any solution for protecting virtualized environments should be based on an entirely fault tolerant architecture that doesn’t have single points of failure and minimizes business disruption risks from the security system itself.

3. Ease of Administration – This should always be a key evaluation criterion for any solution and downright critical for virtualization security management. The virtualized environment is highly dynamic. VMs can be provisioned on a mouse click and through organizational self-service; the number of virtualized resources can “sprawl” at a meteoric rate. Solutions to secure these environments need to make it easy for administrative responsibility to be shared while visibility to the virtualized environment is uniform and highly aware of change. Essentially, the virtualized datacenter will have many virtualization security administration stakeholders whose duties range from VM compliance management to access control to policy refinement. All of these individuals need a single intuitive way to do their jobs while not affecting that of others.

4. Performance – Securing the virtualized environment shouldn’t mean diminished virtualization ROI. It is entirely possible through VMware’s VMsafe fast path technology to achieve wireline speeds for security processing. The challenge for the virtualization security evaluator is to decipher that solution which best meets his/her specific requirements for sustained network speeds (e.g. 10Gb+).

5. Security Depth – This critical requirement, while obvious at face value, is a difficult one by which to differentiate security solutions. Brochure-ware from different vendors will paint a picture of largely equivalent offerings; therefore asking the questions that reveal the truth a layer deeper in the answer is very important. For instance, a firewall is referred to as stateful if it handles any traffic statefully, but not all stateful firewalls handle complex protocols such as FTP in a stateful way.

6. Compliance Capability – Virtualized environments are highly dynamic making the task of maintaining a compliant state for VMs and the virtualized environment orders of magnitude more difficult than it is in the physical world. Dedicated features that monitor and automate the process of enforcing corporate and regulatory compliance policies are key requirements for any security solution for the virtualized data center.

7. Visibility – In order to properly configure the virtual environment along with writing policies for security and compliance, VI administrators must have access to all of the relevant detail for that environment. This means being able to see all of the VMs, the ESX hosts and port group settings as well as all applications and protocols allowed and that flow between and to/from VMs. This gives virtual infrastructure administrators the ability to block unwanted traffic and applications, troubleshoot connectivity, optimize for bandwidth consumption and performance and most importantly, define and apply security policy.

8. TCO – Most organizations opt to take their physical servers to the virtualized model in order to benefit from the reduction in data center operating costs as well as the increased efficiencies that centralized management and VM provisioning self-service provide. Organizations need to take great care when introducing security measures in their virtual environments so as to not reduce or detract from the virtualization ROI. Non-hypervisor based approaches can be very costly especially in terms of VM host capacity, meaning they reduce the number of VMs which can be provisioned on a host because of the CPU and memory resources that they consume. By contrast, hypervisor-based approaches that make full use of “fast path” implementation and have negligible impact on VM host capacity thereby maximize ROI.

9. Interoperability – Your datacenters undoubtedly include significant investment in firewall, performance and security technologies to protect your physical servers. A solution that lets you unify your physical and virtual network protections so that policies are consistently applied is a big priority. A well-architected virtualization security solution can take advantage of installed technologies, such as intrusion prevention systems, traffic analyzers and SIEM as well as integrate with physical network firewalls and management consoles.

10. Extensibility – A virtualization security firm’s roadmap and vision for its solutions should be a high priority in the evaluation process. It is important to select vendors that understand market dynamics and have architected their solutions with foresight to meet your ever evolving needs for expansion. As you expand your virtualized environment and potentially introduce new virtualization or cloud platforms, the security capabilities you deploy today should continue to support your future requirements.

When it comes to virtualization security, these ten requirements should help you in determining your security strategy. Coming up next we will explore the importance of VM Introspection.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...