Virtualization Security: Year in Review

Posted byEdward L. Haletky, aka Texiwill,

My conference schedule kept pace with the changes in the virtualization security ecosystem throughout the year.  What are those changes?

  • Auditors were educated at an ISACA event in Florida about the intrinsic security of most modern Type-1 hypervisors. Through out the year we saw auditors educated and becoming more involved in virtualization  and cloud security. The advent of CloudAudit and the ISACA and other educational events surrounding virtualization have increased through out the year.
  • HyTrust was funded to the tune of $10M by venture capital companies as well as Cisco Systems.
  • At RSA Conference this year, Altor Networks won the innovation sandbox prize and was funded by Juniper Networks to the tune of $10M as well.
  • At RSA Conference, Reflex Systems announced their team up with Tipping Point, which was later bought by HP.
  • At the InfoSec Conference, the Summit on Cloud and Virtualization Security showed that many companies are still struggling with beginning of the virtualization security journey and that some auditors have a very narrow view of the PCI DSS compliance standard. That all but excludes virtualization.
  • At the InfoSec Conference, we were introduced to the discussions of legal considerations.
  • Between InfoSec and VMworld, Catbird teamed up with HyTrust to present a single purchasable item from the US government (a single SKU to order both tools).
  • Discussions on what makes up Secure Multi-Tenancy were started with many companies participating.
  • At VMworld, HyTrust displayed strategic partnerships with RSA, Cisco, and VMware
  • At VMworld, VMware announced the new vShield tools and even won the TechTarget Best of VMworld for Security for the vShield Endpoint product. At the same time, the vShield API for use of VMsafe-Net (App), Endpoint, and Edge was made available. This is the strategic direction for VMware all but hiding the VMsafe-Net API previously used by others. Since the advent of this API, there have not been any new VMsafe-Net based products.
  • At VMworld, VMware announced vCloud Director as one way to ensure Secure Multi-Tenancy (at least from the front end of the cloud, but not from the administrator side of the cloud)
  • Also At VMworld, Trend Micro announced the first vShield Endpoint Anti-virus/Anti-malware product, Deep Security 7.5.
  • At RSA Conference and VMworld, RSA and Intel showed off the Intel TPM/TXT components of the Westmere chips to enable a trusted boot of a Hypervisor. Those who use Intel Westmere chips now have a tool to prevent Blue Pill attacks. TPM/TXT is still being worked on to bring the trusted launch up to the VM.
  • PCI DSS finally released their version 2.0 compliance standard that adds language to specifically bring into scope virtual environments, written process, and people.  HyTrust published a PCI DSS 2.0 reference architecture with help from others.
  • Virtual Network Security concerns continue to be an issue, more Education is required.
  • Altor Networks was bought by Juniper. Juniper has been purchasing cloud security products all year long. The trend has not stopped with the purchase of Altor Networks. Juniper is funding and in partnership with Sentrigo.
  • Legal concerns about entry to the cloud have not abated and will continue until solid Law has been written or there is enough cases to support one stance over the other. Jurisdiction has become a major issue with Law regarding clouds.

The virtualization security ecosystem has grown to include most if not all of the big players, either via funding, partnership, or purchase of the companies. We have seen over the last year an increase in education and desire to learn about virtualization security. This is being over shadowed however by cloud security concerns within the public eye. Given that cloud security depends in many cases on virtualization security, we should consider both together. There will be a push to move many virtualization security products to cloud security products. Reflex Systems, HyTrust, Catbird, and Altor Networks have already started this trend. VMware has moved their vShield products to a cloud security tool when combined with vCloud Director.
These trends will continue in 2011. My questions for 2011 are:

  • Will Juniper continue to buy Cloud Security companies with an eye to becoming the security provider of the cloud?
  • Will Cisco continue to push virtual networking components directly into the hardware?
  • Will there be enough Law in place to protect against Jurisdictional issues within the cloud?
  • Will there be a Compliance based routing policy that considers Jurisdiction and Compliance requirements?
  • Will VMsafe-net be dropped as a valid API from VMware and everyone be asked to program to vShield?
  • Will RSA and Intel work a way for the TPM/TXT technology to be used to ensure a trusted launch of a virtual machine?
  • Will Secure Multi-Tenancy, now include the administrator of the cloud or virtual environment in a more direct way?
  • Will other Compliance auditing catch up with PCI DSS 2.0 so that virtualization is now considered in scope?
  • Will more reference architectures be available for Cloud and Virtual Environment Security?