August is a special month for those of us who live in the San Francisco area, because it’s when the masses of geeks descend on Moscone Center for one of the biggest virtualization conferences in the world. Yes, I’m talking about VMworld.
This year, in particular, is a very special one because it celebrates 15 years of virtualization innovation. Yet, what is interesting is that out of 457 sessions in this conference, only 26 sessions were identified in the security and compliance track. Why is a 6% focus on security in a virtualization and cloud conference an issue, you ask? Whether virtualization infrastructure (VI) admins and security IT admins realize it or not, their ability to meet their goals in a virtualized world are intertwined. Security is one of the key barriers to realizing the full potential of the dynamic, agile, flexible cloud, and if there isn’t enough focus on addressing security at one of the key virtualization conferences in the world, then the software defined data center will continue to be elusive.
Let’s take a look at the challenges today from both perspectives:
VI Admin Perspective
The VI admin wants to deploy a private cloud with the agility, flexibility and the elasticity of a public cloud. This means dynamic, agile movement of virtual machines (VMs) across clusters and pods, and full use of compute resources by delivering any application of any trust level on any server when needed. This is the interesting phase when really tangible efficiencies from an operations, cost and application delivery are realized.
However, the reality is that while the VI admins may have successfully adopted server virtualization in an effort to reduce cost and optimize application delivery, they are still not as nimble and agile as they want to be. As a result of security and compliance mandates, applications still need to be segmented by their trust levels, and silos through traditional networking. This means not all compute resources can be utilized efficiently to deliver any application desired.
In addition, while VI admins can provision their application workloads in minutes, security provisioning continues to be a manual, error-prone and time-consuming process. The approval cycle itself takes days or weeks, followed by manual provisioning of the right ports to enable on the right firewall, or creating VLANs to ensure the applications to be provisioned are in the right segment. In short, security is slowing down virtualization and cloud initiatives.
Security Admin Perspective
The security admin meanwhile is faced with protecting a complex set of applications and mobile users in the face of modern cyber attackers who are better funded and better organized than ever, and are innovating rapidly. These attackers are increasingly moving to a stealthy approach using a sophisticated cocktail of techniques that includes traditional viruses, exploits and malware and customized or targeted APTs (advanced persistent threats).
Unfortunately, while physical firewalls at the perimeter of the data center have evolved, the options for virtual traffic inspection or East-West traffic inspection are limited. Existing virtualized security offerings force him back to the days of IT past, i.e. they are essentially port and protocol-based firewalls along with a variety of firewall helpers like IPS or anti-virus solutions but in virtual form factor. In a virtualized server, with limited CPU cores, dedicating multiple VMs and cores to a portfolio of virtualized security options just isn’t viable.
In addition, the dynamic nature of the new operational models for delivering applications makes it impossible to continue relying on static security policies that are based on physical attributes, like IP addresses. These same security policies also do not have any understanding of the virtualization notion of “application containers” and need to be translated into IP addresses within a security policy.
Unlocking the True Potential of Cloud Computing
Unlocking the promise of the cloud requires a closer integration between virtualization and security elements and delivering the right security feature set.
• Automation of security deployments – Visibility into the application workloads occurs at the virtualization management platform. Therefore, the virtualization management platform should be responsible for ensuring security services can be deployed transparently on each server. But, that is just the first step.
The next step is to steer traffic to security services being deployed. The mechanisms for traffic steering today include manual virtual switch networking configuration or insertion of services at the hypervisor level. Virtual switch networking configuration is manual, painful and prone to errors. Insertion of services at the hypervisor level may cause performance issues because all traffic is automatically steered for inspection. A better choice is insertion at the vNIC (virtualized network interface) level. This provides the benefit of choosing the types of traffic that should be inspected yet ensuring that services are always delivered independent of the networking configuration.
• Comprehensive next-generation security protection – To adequately protect data assets and business critical applications, a network security platform that operates on more business-relevant elements, like user, application and content is needed. The ability to enable applications only for specific users and protect them from known and unknown threats is the foundation of network security in the data center – whether for North South or East West traffic.
Don’t settle for piecemeal virtualized firewall helpers; demand the best protection for virtualized and cloud environments as well. This means identifying applications regardless of ports, protocols, evasive tactic or encryption, and comprehensive protection against known and unknown threats including exploits, viruses, spyware, malware and APTs… on a single virtualized platform.
• Keep up with VM changes throughout virtual abstraction – Further, this next-generation security platform has to not only assume abstraction (isolation from physical attributes), but also adapt at the speed of business – so when computing workloads, users, or applications move – security policies adapt, without the need for staff intervention. This is possible via rich, context-sharing between virtualization and security management platforms and dynamic security policies that can incorporate virtualization elements like application containers.
In summary, security functionality cannot continue to be an add-on feature or accessory to data center deployments. It must be developed hand-in-hand as part of the virtualization architecture. Otherwise, data center deployments will continue to be tethered by physical and static limitations and worse, an organization will be impacted by cybersecurity breaches.
So, back to my early point about VMworld. Yes, it is surprising to me that the biggest virtualization conference in the world does not have more emphasis on security. There is no true cloud without security and there is no easy button for security without true integration with virtualization. Go ahead – give your VI admin a hug today; you’re in this together.
See you at VMworld, and follow me @danelleau for more ramblings on security solutions, virtualization and cloud.