Virtualizing Business Critical Applications is often stopped either by the sudden involvement of security and compliance, a need to better understand, or a need to gain visibility into the underlying security of the virtual environment in order to build new security and compliance models. As we have commented on the Virtualization Security podcast many times, security and compliance teams need to be involved from the beginning. However, this is not a discussion about involvement but about the tools that will help security and compliance to gain the necessary visibility into the security of their virtual environments and therefore allow for the virtualizing of business critical applications.
Large virtual environments can be viewed multiple different ways, but ultimately from a security and compliance view, this implies the ability to break things up by trust zones but how do we gain visibility into what is within a give trust zone. These three tools have that visualization capability baked into their user interfaces:
- VMware vCloud Director – You may not think of VMware vCloud Director as a tool to break an environment up into trust zones, but the capability is baked in. You even have a way to visualize those different trust zones as well as control what can cross the trust zone boundaries via vCloud Director’s integration with VMware vCloud Network and Security (vCNS) modules. While vCloud Director is designed to build clouds and provide IT as a Service, it also provides a method to segregate and deploy workloads into multiple trust zones with built-in security. Visibility is gained via graphical display of where security actually resides within the virtual network. You can use VMware Configuration Manager (vCM) to check compliance against workloads within a vCloud Director installation.
- Reflex Systems – Reflex Systems Management Center has a heritage of being a security tool. Their vTrust module and display methodology allows the creation of groups of virtualized objects split on network boundaries. Their virtual trust zones not only are enforced by integrating with the hypervisor, it is also easy to see what comprises a trust zone. In addition, it is possible to tag virtual machines such that they cannot be moved across trust zones easily and quarantine policy offending VMs. Reflex’s vTrust module also includes common compliance checks using their Virtualization Query Language (VQL).
- Catbird vSecurity – Catbird vSecurity deploys an appliance that creates virtual trust zones within a standard virtual or cloud environment. Their user interface is designed entirely around the trust zone concept and enforces policies within each zone. Those virtual machines that violate a policy are quarantined. In addition, Catbird vSecurity includes the concept of object tagging to disallow objects without like tags from connecting to one another: VMs and Networks are tagged, and to connect VMs to a Network the tags much match. Catbird vSecurity has compliance checks built in for the most common compliance requirements.
- Trend Micro Deep Security – Deep Security provides a comprehensive suite of end point security measures. While this tool does not have a visual view of security with cool diagrams, it does have the traditional approach to security, where you define groups, place your VMs and objects into those groups. Those Groups would correspond to your trust zones. In addition, Deep Security provides more than trust zone segregation but also end point security that meets many compliance requirements.
Are there other security tools available, absolutely, do they provide ways of managing trust zones, of course, but they do not show an easy to understand representation of what is happening within the virtual environment. The question, that is always asked within virtual and cloud environments is: Where is my security? We need tools that says: Here is your security, you can tell because that is a firewall (and a quick way to inspect rules) protecting this trust zone. But protecting a trust zone using a firewall is only part of the problem. For many reasons we need other security measures such as:
- Protection against Unknown-Unkowns such as 0day Attacks which we can get from using sandboxing and whitelisting technologies we find within Symantec Critical System Protection or SELinux implementations
- Defense in Depth that spans the entire data center, not just centered around the virtual or cloud environments
- Integrity and Confidentiality measures of our data
- Intrusion detection and prevention
The listed tools gain us a visual visibility into how security works within the virtual and cloud worlds. We need to start with visibility within our virtual and cloud environments to create our full defense in depth that not only protects our data but fails safely if there are issues while maintaining visibility and transparency. This level of visibility will aid security in moving forward with virtualizing business critical applications.