Topic: Virtualization Security
Bloggers: Dan Blum, Eric Maiwald, and Drue Reeves
Within Burton Group some industry conversation will often spark an exchange of ideas that span traditional research specialty areas. In this case the hot topic du jour is virtualization security and its impact on data center and security architecture. I’ve captured the essential elements of this conversation in the following series of comments.
Dan Blum, Burton Group principal analyst in security and risk management, kicked off the conversation with:
Interesting discussion with VMWare today. It occurs to me that what VMWare is trying to do with virtualization security is a critical part of architecture for the dynamic data center. Virtualization security is also essential to cloud architecture for most or all layers of the cloud stack.
I’ll replay the discussion for you a bit.
As you know, in our security architecture we rate air gap as the highest surety separator, followed by the dedicated network firewall. Any “virtual” (VM, VLAN) or other separation mechanism is in a lower class of surety.
For an organization’s private data center it may be wise from a surety perspective to separate/isolate the credit card database (or other high value resource) onto its own dedicated server(s) behind a dedicated network firewall.
For a cloud service provider, however, separating dedicated networks and servers breaks the multi-tenant economies of scale; virtualization is usually the way to go. On the other hand, VMWare argues that maybe private data center = dynamic data center = internal cloud.
I’m skeptical that the virtualization economics are as compelling for a internal cloud = dynamic data center as they are for a public cloud (you should be able to afford more dedication/surety).
However, there could be applications where separating/isolating the high value part demands not just one dedicated server, but many, creating a stronger economic argument to trump surety. Anyway, we agree that it is for the good of the industry to “raise the bar” for surety of virtual network and virtual server separation.
“Raising the bar” for virtual separation is much more than just deploying a virtual firewall. That’s just the start. The “secure cloud strength” or “dynamic data center strength” virtual security architecture would need:
Controlled data center network with outer perimeter and IDS
Physical and virtual server operations and configuration standards, hardening, integrity monitoring
Asset management such that virtual workloads are identified, tracked, managed and protected offline
Distributed policy infrastructure (correct policies maintained by vetted personnel in a framework of role-based administration with separation of duty)
Virtual firewalls on each server enforce the distributed policy, correctly identifying the policy that goes with each workload
Audit to ensure standards maintained
Burton Group’s research director for Data Center Strategies, Drue Reeves responds with:
VMware’s primary cloud architecture focus is at the Infrastructure as a Service (IaaS) layer, so it’s understandable for them to talk about internal clouds. (BTW – Internal/private clouds do exist, if not only for the reason of being able to easily move things to a public cloud. However, Bechtel found it cost-effective to move to an internal cloud model).The rest of the cloud (Platform as a Service -- PaaS, Software as a Service -- SaaS) has a larger architecture in terms of usage and consumption models.
Burton Group’s research director for Security and Risk Management, Eric Maiwald also adds his comments to Dan’s initial thought provoking post:
Keep in mind that the necessary security may involve more than one security objective (confidentiality, integrity, availability, use control, and accountability). The objectives may conflict.
The reason I bring this up is because confidentiality and integrity objectives may push an enterprise toward separation. However, availability objectives may push the enterprise toward distributed, highly connected systems. The use of virtualization may help with availability while negatively impacting confidentiality and integrity.
Dan responds to Drue’s post:
When complex virtual zoning schemes (with all the moving parts I indicated in the previous message) are implemented in a large dynamic data center, integrity and confidentiality may be improved. However, glitches in the complex configuration will hurt all the objectives from time to time and raise costs all the time.
Much easier if there’s no need for security. I know – let’s just pretend to have virtualization security!
Drue responds to Eric’s post:
It’s all about risk management, right? We highlight the advantages and risks, then let IT organizations make the business call.
Actually, I think cloud computing may help in some ways (and hurt in others). Data centers will be transformed into critical applications kept internally, while less critical apps are moved to the cloud.
Eric responds to Drue:
Overall, I think cloud will probably help with availability – providing redundancy and alternative sites (not to mention the better availability within a first class data center) that enterprises don’t want to pay for.
Confidentiality, integrity, use control, and accountability are a harder sell. In the macro sense, these are all degraded initially as you have more people who you may not know with potential access to the data. Assuming that the cloud vendors take appropriate steps to keep the external bad guys at bay, you still have to worry about these insiders. Different vendors may do things to control these insiders but it is still something external to the enterprise that “owns” the data.
Drue closes out this discussion with:
Completely agree.
That’s why it looks like internal clouds will keep critical apps, and non-critical apps are candidates to move externally…thereby creating that “air gap” we talk about.
Interesting.
Stay tuned as we continue this discussion at Burton Group’s Catalyst conference in San Diego, July 27-31, 2009.
