Virtualization Security: The Goldilocks Zone

Virtualization Security: The Goldilocks Zone

Security is, at its core, an architectural issue, one that may be solvable through the technology at the very center of IT transformation: virtualization, writes Tom Corn of VMware.

Tom Corn is VP of Security Strategy at VMware.

Throughout the history of IT, security has always been both important and challenging, but never more so than now. The worlds of cloud, mobile and social rely on a trusted digital world. And yet it appears the very promise of that trust is at risk. We are stuck in an escalating arms race, where every step forward yields two steps back.

This does not appear to be an issue of investment, innovation or priorities. Investments in research and security startups are at record high. Security has been a board level issue for a number of years. And enterprises are spending more on security than ever before. Growth in security spend outpaces growth in overall IT spend. The only thing outpacing security spend, is security losses.

This is, at its core, an architectural issue, one that may be solvable through the technology at the very center of IT transformation:  virtualization.

Security: A Set of Tradeoffs

When it comes to instrumenting IT infrastructure with security controls, we’ve had two main choices; network-based or host-based. But these choices force us to make a tradeoff between isolation and context.

If we place controls in the network, we’re in a separate trust domain, so we have isolation. The problem is we lack context. We see ports and protocols instead of applications. We see IP and MAC addresses instead of users. These physical identifiers were never good proxies for their logical counterparts to begin with, but in modern IT architectures such as cloud, where workloads are mobile and transient, they’re even worse. The development of next-generation firewalls was driven by this very issue.

If we place controls on the host, we get wonderful context about the application, processes, files and users. But we lack any meaningful isolation. We are placing security controls right in the middle of the attack zone. If the endpoint is compromised, so is the control.

And in both cases we lack ubiquity. That is, we lack a horizontal enforcement layer that places controls… everywhere. Endpoint controls provide little network visibility. Network controls provide little endpoint visibility, and cost and operational constraints stop us from deploying throughout the infrastructure.

Enter the Goldilocks Zone

The term “Goldilocks Zone” was first coined by NASA researchers in the 1970’s to describe a planetary location that exhibits characteristics that must be simultaneously present for a planet to support life. At VMware, we borrowed the term to describe the location for security controls that simultaneously provides context and isolation –key characteristics required to create a secure information infrastructure.

Entering The Security Goldilocks Zone

The expanding use of virtualization and the move towards software-defined data centers enables huge benefits in speed, scalability and agility. But it may turn out that one of virtualization’s biggest benefits is security. We believe it is the security goldilocks zone, because it enables isolation and context that can be both granular and dynamic— and provides a horizontal layer that provides near ubiquitous coverage.

Through virtualization, organizations can insert security instrumentation and services in a location that provides end to end coverage, full context of application, user and data, and isolation so their position is protected. Moreover, they can leverage the infrastructure and the orchestration of other controls to better respond to threats in the event of an attack. This becomes increasingly critical as security moves from a predominantly in-line prevention model, to analytics and out of band mitigation.

The Impact of Ubiquity

The traditional datacenter security architecture remains perimeter-centric, with the majority of our datacenter security investment focused on our north south boundary. Why? Certainly security teams are aware of the disappearing perimeter. The answer is quite simple; putting security inside is hard.

On the perimeter we have a small number of egress points. Inside a datacenter we have a complex web of data paths. Cost and operational constraints result in relatively sparse deployment of essential security controls. As a result, controls become choke points. Furthermore, we’re left with an incredibly complex distributed policy problem. In a path between machine A and machine B traffic might pass thru several controls, and the effective protection policy is the composition of policies expressed on each of those controls. Managing and aligning those policies over time becomes an intractably complex problem.

But in the Goldilocks Zone, we get unparalleled ubiquity. Virtualization boundaries located throughout the data center deliver the leverage point needed to cost effectively establish scale-out end to end protection. Ubiquitous coverage can now be achieved in a way that eliminates security choke points and provides a single, coherent view and consistent enforcement of policy. Security controls become distributed services, whose policies are focused only on the applications they protect, greatly simplifying the policy management challenge.

The Impact of Context

In a traditional data center, the lack of context results in asset-centric policy — such as a policy for a given server. The larger impact “bad identifiers” is that we lack the right “handles” to bridge the gap between the intent of our policies and their physical implementation. We’re continuously reconstructing and validating our understanding of the location of critical services and the placement of controls intended to protect them.

In the Goldilocks Zone, our controls can be application and identity aware, so we can truly manage policy in an application-centric manner. A lightweight driver embedded in every guest virtual machine provides a convenient mechanism for exposing key information available to the guest’s operating system, to provide advanced context. And the network controller’s explicit definition of the relationships, traffic control policies, and network control placement, provides unequaled topological context.

The Impact of Isolation

In a traditional data center, host-based controls have little isolation, and are therefore very difficult to protect. On the network side, we have an open infrastructure; a hyper-connected computing base where virtually every host is connected to every other host through one or more hops. This facilitates lateral movement of threats.

But in the Goldilocks Zone things looks very different.

On the endpoint, the hypervisor provides a deployment location that affords access to application-layer information, yet still maintains separation between the controls and the resources they’re protecting. Essential countermeasures are kept out of the kill zone and do not run the risk of being “compromised by co-location.” A combination of static and dynamic integrity checks further protect the driver by ensuring that it hasn’t been overwritten or compromised.

On the network, we have the ability to establish virtual data centers around critical applications and compliance scopes, and leverage micro-segmentation. We can also programmatically leverage the infrastructure to mitigate and/or contain compromised machines.

The Result

When you combine these properties, you get nothing short of a transformational change in security. You move from a hyper-connected network to a least-privilege “zero trust model” without impeding the flexibility of the infrastructure. You dramatically improve visibility and context. And you enable the infrastructure itself to be leveraged to isolate threats and protect critical applications and data.

You create a built-in versus bolt-on model, giving your security controls;

  • Ubiquity: Placed everywhere, without concern about cost, complexity or choke points.
  • Context: Leverage rich application, user and data context, for better analytics and more granular control
  • Isolation: Protect their position, and enable them to leverage the infrastructure to isolate threats and mitigate attacks

A software-defined virtualization approach offers an unprecedented opportunity to build secure, highly defensible infrastructure. Security vendors can transform their products by taking advantage of the rich context, isolation and ubiquity. Security practitioners can expand their thinking from “how to secure this layer” to “how can we leverage this new layer to secure our most critical assets.

We finally have the opportunity make security part of the very fabric of our infrastructure – built-in rather than bolted out. We cannot miss this opportunity.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission processfor information on participating. View previously published Industry Perspectives in our Knowledge Library.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.