RSA: Security Lags as Virtualization Picks Up
At a time when everyone is watching the bottom line, there is an increasingly strong impetus to virtualize IT environments.
"It is rare in IT that there is a technology that has an immediate and obvious return on investment," said Dave Shackleford, chief security officer at Configuresoft Inc.
By letting multiple services share a single physical platform, organizations can see a quick savings in the cost of hardware, licensing, power consumption and management. "They can see tangible results right off the bat," Shackleford said.
"That is wonderful for productivity and cost savings," said Amir Ben-Efraim, chief executive officer at Altor Networks. "[That] is why, with the bad economy, virtualization still is an active market."
"This is probably the hottest space in technology now," said Chris Farrow, vice president of market strategy at Configuresoft.
That popularity is reflected at this week's RSA security conference, where Shackleford and Farrow gave a presentation on virtual security for the second year in a row. If there is one topic as hot as saving money through virtualization, it is how to secure your new virtual environment. Two years ago, there was one presentation scheduled on virtual security at the conference. That increased to three last year and nine this year.
However, virtual environments are more flexible than physical networks, and their workings are largely hidden from traditional management and security tools.
"Even with traditional security, you have trouble keeping track of boxes, knowing if a box is up or down," Farrow said.
Virtual networks have all of the security vulnerabilities of physical networks, plus some unique ones, Ben-Efraim said. "This creates a brand-new network within your datacenter -- a virtual last mile -- and it's all inside the box," he said.
As with many technologies, virtualization's features have outpaced security, and vendors are now trying to catch up. Shackleford and Farrow began looking for guidance on virtual security in late 2006 and discovered a gap.
"There was no industry guidance on how to secure this technology," Farrow said, so he and Shackleford began working on a set of benchmarks. Since then, a number of guidelines and benchmarks have appeared, including the Security Technical Implementation Guides from the Defense Information Systems Agency.
But virtualization is not standardized enough for security practices to be mature. And many organizations are focusing too much on checklists and not enough on comprehensive security, Farrow said.
"What we see time and again is that people do the bare minimum to meet with the checklist," he said. Even though they meet audit requirements and comply with policies, they are not secure.
"All configuration standards and guidelines should be considered a bare minimum," Shackleford said. They are a starting point, not the goal.
He said many administrators are still waiting for vendors to provide tools that can protect a virtual environment without slowing it down too much. "The impact on performance in a virtual environment is compounded because they share the same physical platform," he said.
But Ben-Efraim, whose company makes a virtual firewall to protect network elements inside a single box, said adequate technology to secure virtual networks is already available.
"There are enough virtual security vendors with enough flavors and solutions to make your virtual implementation more secure," he said. The sticking point is a lack of awareness and consensus on best practices.
At least one company says securing a virtual world is not that difficult: IBM has announced that it is virtualizing its Proventia GX appliance for detecting and preventing intrusions.
It is "our first stab at virtualization," said John Pirc, product line and services executive at IBM Internet Security Services. It is the first product of IBM's Project Phantom to bring security into hypervisors.
The virtual system will have the same interface and functionality, but it will run on VMware ESX Version 3.5. It can put an intrusion-prevention system between a Web application and a database, in front of a Web server, at the network interface to a virtual server, or anywhere else connections and access need to be controlled. Its 700Mbps performance means that it won't slow the network, Pirc said.
Building a virtual intrusion-prevention system was not hard, he added. "It's really no different from a traditional IPS," he said. "The majority of it was a lot of quality assurance testing."
Pirc said that although virtual security is not fully mature, the task of developing it is not at the beginning of the curve. "Some changes remain to be made," he said. "I think we're halfway there."
William Jackson is the senior writer for Government Computer News (GCN.com).