Security in the virtualization space, or virtsec as its being called by some, is supposed to be a big deal. Why? For one, security is a huge topic of concern in the physical world. Consumers and businesses spend large sums of money every year to protect their physical end-points and keep malware from entering their datacenter or homes. And when you transition over to a virtual world, why wouldn't you still be co Security in the virtualization space, or virtsec as its being called by some, is supposed to be a big deal. Why? For one, security is a huge topic of concern in the physical world. Consumers and businesses spend large sums of money every year to protect their physical end-points and keep malware from entering their datacenter or homes. And when you transition over to a virtual world, why wouldn’t you still be concerned about the very same problem and issues? After all, just because a machine is virtual doesn’t mean it’s impervious. And security seems to be one of the top reasons why many people in the industry are slow to adopt virtualization into their production environments. And so, VMware has introduced us to their solution called VMsafe. I was originally exposed to this concept back at VMworld two years ago (it didn’t have a name like VMsafe back then – it was just an idea or concept at the time). But now, the VMsafe initiative was finally launched at VMworld Europe 2008 and the cat has been released from the bag. The technology allows security software vendors like McAfee to write anti-virus and malware protection software against an API that will be provided with the VMware ESX Server hypervisor environment. Everything I heard made sense to me at the time, but I wanted to know more about the security of the security end-point. VMsafe can stop the malware before it gets to the virtual machine, but what keeps the malware writers from focusing their attack on the API or the VMsafe virtual machine? According to an article in a VMworld Europe magazine, this shouldn’t happen. “Security purists and VMware’s competitors will undoubtedly argue that providing access to the hypervisor, albeit in a highly controlled manner, increases the risk of the hypervisor’s own integrity being compromised, and with it the security of every virtual machine that runs on top of it. VMsafe is architected in a manner that eliminates this threat by having the security product run in an isolated space outside of the context of the hypervisor.”Good. So VMsafe is safe. But safe from what? Interestingly, while describing this whole concept of security and VMsafe during the keynote presentation, Christopher Bolin, CTO of McAfee talked about academic and online discussions over the potential threats to VMware and other virtualization technologies. And despite these discussions, Bolin said that they haven’t yet seen any real malicious attacks against virtualization and VMware specifically. That’s impressive. Michael Montecillo, a security analyst with Enterprise Management Associates, believes that virtualization security is a moving target. He says, “Organizations are still trying to determine what is the best, most effective way to implement virtualization within their environments. This has caused variations in practices involving the technology utilized and the management processes designed to implement those technologies. From a security perspective, this makes designing a strategy very difficult as there is no standard technology or management method. Therefore, security strategies need to be very flexible and highly capable to address the risk to virtualized environments.” Montecillo added, “VMsafe is an initial effort to bring attention to the fact that security is playing a larger role than ever in the adoption of virtual technologies. VMsafe is beneficial to VMware as it helps VMware address the security voice which has likely slowed the adoption of virtualization technologies in certain environments. VMsafe is also very beneficial to the security vendors involved as it has put the security issue of virtualization at the forefront of the thinking of a lot of executives.” So McAfee is now onboard. But there are two other companies who have been protecting VMware’s hypervisor for well over a year now, Blue Lane Technologies and Catbird, and they agree with Montecillo’s assessment that VMsafe is bringing the security issue to the forefront.Gregory Ness, VP of Marketing at Blue Lane Technologies said, “VMware finally uttered the ‘S’ word, signaling their serious intentions to virtualize production data centers. It is a kind of declaration of independence from the world of ASIC and gig-based security that was also signed by some of the leading players in security.” And added, “VMware has articulated an advanced security vision that promises to do for security what virtualization has done for devtest.”Tamar Newberger, VP of Marketing for Catbird, is also a firm believer that VMware’s coming out and their affirmation about VMsafe is good for the industry. The feeling is that reducing security concerns will help accelerate virtualization adoption and move the technology into production environments. Newberger said that VMsafe is an important announcement and shows that VMware is now onboard with the need for security around its product. Saying, “In the shift from P to V, we see best practices for security being inadvertently left behind. Indeed, frequently the security team is left out entirely by the infrastructure team when they are mapping out VMware deployment plans, either because they simply didn’t think about it or because they are concerned it might slow things down. Businesses have spent so much time and money figuring out their security topology on their physical networks – but then almost entirely ignore it for their virtual network. It’s weird!”Companies like Blue Lane and Catbird originally came into the virtualization market to specifically address the growing security concerns found within virtualization. And even without the availability of VMsafe APIs, both companies have been able to architect a solution to help address the security problem. Catbird has been shipping its V-Security product since last summer and offers a ‘Security as a Service’ approach. Likewise, Blue Lane started shipping its VirtualShield product in March 2007. So because both of these companies already have products on the market to address this security concern within VMware environments, how does this announcement affect and change each company’s roadmap or long-term vision? After all, creating a set of APIs that can easily be leveraged must certainly take a toll on the barriers of entry into this virtsec space.Ness believes it will be a big boost for all virtsec players – including Blue Lane. “I think the data center virtualization prospects have been waiting for VMware to step up, articulate a vision and delineate who will do what. They have removed any uncertainty that clouded/confused the early market. Because virtualization is a disruptive technology for security it levels the playing field in many ways, including de-emphasizing specialized network IPS hardware, increasing the importance of app/protocol fluency and moving the security industry away from headaches like signatures, tuning and cottage ‘intrusion suspicion management’ industries. More layer 7 intelligence will be required by virtsec. All of these trends point toward our advanced architecture and away from solutions architected when hackers were living at home and targeting desktops for fame.” Newberger said that it hasn’t altered Catbird’s roadmap per se, since the type of functionality that VMsafe enables was already on their roadmap. “We do believe that we can demonstrate how using VMsafe – and security as a whole – will accelerate VMware adoption by reducing the security concerns that have been dogging the market. There have been lots of analysts and CIOs warning of impending doom and gloom – but most of their concerns could easily be addressed by products already in the market, such as Catbird. And VMware supports this approach.”According to Montecillo, “Blue Lane and Catbird currently sit in an excellent position with regards to virtualization. These companies are on the cutting edge for a growing concern for organizations looking to consolidate servers and move to virtualization solutions. With the innovations that come with the move to virtualized environments, so too comes new security concerns. Technical concerns such as the security of the hypervisor are complicated by management issues like trusted zone spanning and network activity monitoring. Companies such as Blue Lane have a head start on addressing these concerns through product portfolios and thought leadership. Of course the VMsafe announcement has allowed some larger security vendors such as McAfee or Symantec to enter into the realm of virtualization security as well. However, as they do not currently have the technology to secure the virtualized environments in the manner that Blue Lane, Catbird, or some of the others do, acquisitions are likely.” Software Development