Virtualization Security: The Goldilocks Zone

Add Your Comments


Tom Corn is VP of Security Strategy at VMware.

Throughout the history of IT, security has always been both important and challenging, but never more so than now. The worlds of cloud, mobile and social rely on a trusted digital world. And yet it appears the very promise of that trust is at risk. We are stuck in an escalating arms race, where every step forward yields two steps back.

This does not appear to be an issue of investment, innovation or priorities. Investments in research and security startups are at record high. Security has been a board level issue for a number of years. And enterprises are spending more on security than ever before. Growth in security spend outpaces growth in overall IT spend. The only thing outpacing security spend, is security losses.

This is, at its core, an architectural issue, one that may be solvable through the technology at the very center of IT transformation:  virtualization.

Security: A Set of Tradeoffs

When it comes to instrumenting IT infrastructure with security controls, we’ve had two main choices; network-based or host-based. But these choices force us to make a tradeoff between isolation and context.

If we place controls in the network, we’re in a separate trust domain, so we have isolation. The problem is we lack context. We see ports and protocols instead of applications. We see IP and MAC addresses instead of users. These physical identifiers were never good proxies for their logical counterparts to begin with, but in modern IT architectures such as cloud, where workloads are mobile and transient, they’re even worse. The development of next-generation firewalls was driven by this very issue.

If we place controls on the host, we get wonderful context about the application, processes, files and users. But we lack any meaningful isolation. We are placing security controls right in the middle of the attack zone. If the endpoint is compromised, so is the control.

And in both cases we lack ubiquity. That is, we lack a horizontal enforcement layer that places controls… everywhere. Endpoint controls provide little network visibility. Network controls provide little endpoint visibility, and cost and operational constraints stop us from deploying throughout the infrastructure.

Enter the Goldilocks Zone

The term “Goldilocks Zone” was first coined by NASA researchers in the 1970’s to describe a planetary location that exhibits characteristics that must be simultaneously present for a planet to support life. At VMware, we borrowed the term to describe the location for security controls that simultaneously provides context and isolation –key characteristics required to create a secure information infrastructure.

Pages: 1 2

Add Your Comments

  • (will not be published)