VMware's take on security expands with vShield Zones

VMware expands its security initiative with a vShield Zones appliance designed to protect the virtual datacenter by enforcing security policies as VMs are migrated. But what effects does it have?

Back in October 2008, VMware quietly acquired Blue Lane Technologies, a security vendor offering an inline patching technology for physical and virtual machines. Throughout 2008, VMware continued to bring security to the forefront; and while doing so, the virtualization giant attempted to gain control and lead the security discussion around virtualization.

Even before its acquisition of Blue Lane Technologies, VMware was already building out a security story. The company launched its Update Manager product leveraging a partnership with Shavlik Technologies. On August 2007, the company acquired security firm Determina and their intrusion prevention technologies. And then back in February 2008, we learned more about the company's plans to introduce a set of APIs, VMsafe, that would allow security vendors to offer protection to virtual machines.

[ Take another look at VMware's VMsafe with Blue Lane and Catbird | Read this Q&A to learn more about virtual security switch technology launched by Montego Networks | Altor VF creates a unique identifier for tracking virtual machines. ]

The latest news came out of VMworld Europe 2009, where VMware announced what it calls VMware vShield Zones. This is a new security virtual appliance being made available for the virtual datacenter operating system (VDC-OS) that will help enable strict compliance with security policies and industry regulations for user data as customers look toward cloud computing with virtual environments.

VMware said that with VMware vShield Zones, customers will be able to create logical zones in the virtual datacenter that span all of the shared physical resources, with each zone representing a distinct level of trust and confidentiality. This will allow businesses to comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools.

To try and wrap my arms around this more, I spoke with Scott Crawford, research director and security expert at Enterprise Management Associates. Where does vShield fit within the security market and virtualization? And how does it affect today's corporate IT world? Does the line continue to blur between a virtualization administrator and IT security?

One of the security issues with virtualization is actually the flip side of its benefits. The resource optimization capabilities of virtualization means that a number of resources can be consolidated on a single platform. Crawford said that this becomes a concern for security pros, when it runs the risk of breaking down traditional barriers between high-sensitivity resources and those having higher exposure to risk.

"The DMZ is perhaps the most familiar example of these traditional barriers," said Crawford. "DMZs have high exposure to external networks, which leaves them more exposed to external attack. A DMZ application gateway would be isolated with some level of traffic filtration from the inner workings of the application itself, typically housed within the more protected datacenter."

He added, "Consider, however, the impact of inappropriately deployed virtualization on this same scenario. If a virtualized DMZ environment were to be run on the same host as a highly sensitive virtualized system for, say, sensitive information management, a successful attack against the DMZ VM could expose the underlying host or other guest VMs -- including the sensitive information management system. Unless security policy is factored into virtualized resource provisioning, there is a genuine possibility of this sort of 'trusted zone spanning' as it is sometimes called. Concepts such as live migration potentially elevate this risk even further, when they fail to factor security policy into dynamic provisioning in a real-time or near-real-time way."

The traditional approach to isolating and segmenting resources of different sensitivity was to provision physical or virtual network segments and isolated host systems to assure an appropriate level of policy enforcement. You can see how this would impact the resource optimization values of virtualization, by limiting the ability of organizations to make the most of all available resources.

Crawford said, "vShield Zones offers a way to help insulate these environments from each other, despite the fact that they may be hosted in a virtualized setting. In the short run, then, what VMware is introducing (and it's not an introduction so much as the continuation of Blue Lane's VirtualShield, announced last spring) is a means to provide a greater degree of security policy enforcement for the virtual environment, addressing these concerns."

So does this directly threaten the existing security marketplace? Or does it affect the roles of professionals that are charged with primary or exclusive control over the management of different aspects of the overall environment from IT operations to security?

Crawford doesn't believe so, at least, not in the short term. He believes that it will be some time before these concepts come fully to market, and that their capability for containing real-world risk must first be proven. But he stated, "Even when they do, there will still be a need for technologies and services that address security beyond virtualization. Applications, for example, have become an increasingly popular target of attack. While vShield Zones will provide some level of insulation and protection for virtualized applications and underlying resources, the technology will not directly address exploitable application behavior (as dynamic application vulnerability management tools do), nor can it resolve security defects incorporated into application source code."

But will concepts such as vShield transform security in the longer run, by shifting the focus to the virtualized platform and away from the network or other aspects of IT?

"Not unless and until it embraces a wider range of security functionality," said Crawford. "And even then, a vital question must be answered: Who is ultimately responsible for virtualization security? The answer to this question raises a management issue for the future in a way few other technologies have to date, since the distinctions between the tools and processes used by security professionals, versus those used by virtualization administrators, are not yet completely clear."


Copyright © 2009 IDG Communications, Inc.