Connect with us

Hi, what are you looking for?


Cloud Security

Ten Criteria for Evaluating Virtualization Security Solutions



Although security practitioners know the requirements and functionality, which define each criterion for the physical network, not nearly as much is known or understood about the parameters that make for a sound virtualization security solution choice. If this describes you and or your organization, then the following may be helpful as a quick reference starter guide in your efforts to best secure your virtualized workloads.

The following are perhaps every security technology evaluator’s top ten criteria, that is: scalability, fault tolerance, ease of administration, performance, security strength, compliance capability, visibility, total cost of ownership (TCO), interoperability and extensibility.

Virtualization Security Vendors

1. Scalability – Whether your newly virtualized datacenter has two VM physical hosts (e.g. VMware or ESX servers) or two hundred, it is almost certain to grow. As you add physical hosts and VMs you’ll want your security to keep pace. In other words, with large numbers of VMs or VM clusters, the limiting factor should be the capacity of your virtualization environment, not the security solution protecting it. If you are placing VM hosts in disparate geographical locations, the virtualization security solution should maintain a single centralized view of the virtual network and conduct policy enforcement independently of VM or physical host location. Finally, if you are using vMotion, or Live Migration, virtualization security should be applied so that it does not limit the ability of VMs to freely, and securely move throughout your virtual environment.

2. Fault Tolerance – Virtualization security needs to be in the path of traffic in between VMs in order to be its most effective – i.e. control access, suppress malware – but that means it must also be implemented such that business critical communications are not impacted by security performance limitations or functional failures. What this means is that any solution for protecting virtualized environments should be based on an entirely fault tolerant architecture that doesn’t have single points of failure and minimizes business disruption risks from the security system itself.

3. Ease of Administration – This should always be a key evaluation criterion for any solution and downright critical for virtualization security management. The virtualized environment is highly dynamic. VMs can be provisioned on a mouse click and through organizational self-service; the number of virtualized resources can “sprawl” at a meteoric rate. Solutions to secure these environments need to make it easy for administrative responsibility to be shared while visibility to the virtualized environment is uniform and highly aware of change. Essentially, the virtualized datacenter will have many virtualization security administration stakeholders whose duties range from VM compliance management to access control to policy refinement. All of these individuals need a single intuitive way to do their jobs while not affecting that of others.

4. Performance – Securing the virtualized environment shouldn’t mean diminished virtualization ROI. It is entirely possible through VMware’s VMsafe fast path technology to achieve wireline speeds for security processing. The challenge for the virtualization security evaluator is to decipher that solution which best meets his/her specific requirements for sustained network speeds (e.g. 10Gb+).

5. Security Depth – This critical requirement, while obvious at face value, is a difficult one by which to differentiate security solutions. Brochure-ware from different vendors will paint a picture of largely equivalent offerings; therefore asking the questions that reveal the truth a layer deeper in the answer is very important. For instance, a firewall is referred to as stateful if it handles any traffic statefully, but not all stateful firewalls handle complex protocols such as FTP in a stateful way.

Advertisement. Scroll to continue reading.

6. Compliance Capability – Virtualized environments are highly dynamic making the task of maintaining a compliant state for VMs and the virtualized environment orders of magnitude more difficult than it is in the physical world. Dedicated features that monitor and automate the process of enforcing corporate and regulatory compliance policies are key requirements for any security solution for the virtualized data center.

7. Visibility – In order to properly configure the virtual environment along with writing policies for security and compliance, VI administrators must have access to all of the relevant detail for that environment. This means being able to see all of the VMs, the ESX hosts and port group settings as well as all applications and protocols allowed and that flow between and to/from VMs. This gives virtual infrastructure administrators the ability to block unwanted traffic and applications, troubleshoot connectivity, optimize for bandwidth consumption and performance and most importantly, define and apply security policy.

8. TCO – Most organizations opt to take their physical servers to the virtualized model in order to benefit from the reduction in data center operating costs as well as the increased efficiencies that centralized management and VM provisioning self-service provide. Organizations need to take great care when introducing security measures in their virtual environments so as to not reduce or detract from the virtualization ROI. Non-hypervisor based approaches can be very costly especially in terms of VM host capacity, meaning they reduce the number of VMs which can be provisioned on a host because of the CPU and memory resources that they consume. By contrast, hypervisor-based approaches that make full use of “fast path” implementation and have negligible impact on VM host capacity thereby maximize ROI.

9. Interoperability – Your datacenters undoubtedly include significant investment in firewall, performance and security technologies to protect your physical servers. A solution that lets you unify your physical and virtual network protections so that policies are consistently applied is a big priority. A well-architected virtualization security solution can take advantage of installed technologies, such as intrusion prevention systems, traffic analyzers and SIEM as well as integrate with physical network firewalls and management consoles.

10. Extensibility – A virtualization security firm’s roadmap and vision for its solutions should be a high priority in the evaluation process. It is important to select vendors that understand market dynamics and have architected their solutions with foresight to meet your ever evolving needs for expansion. As you expand your virtualized environment and potentially introduce new virtualization or cloud platforms, the security capabilities you deploy today should continue to support your future requirements.

When it comes to virtualization security, these ten requirements should help you in determining your security strategy. Coming up next we will explore the importance of VM Introspection.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...