The Virtual Data Center

Well I’ve been at RSA for exactly one day now and I’ve literally already discussed the concepts of virtualization security in every meeting and impromptu conversation I’ve had, which is awesome. I love it that people are thinking about virtualization in their data center as a platform or framework and starting to look at the security implications of this new technology they now have to manage.

But as with the rest of my virtualization path that brought me here today, the 2nd sentence in each one of these conversations has been “Well, what exactly do you mean by virtualization security, and what specific problem are you trying to address?” Virtualization security means one (or any) of 3 things:

1. Security risks introduced to the data center when new virtualization technologies are introduced, ie my paper on Security Implications of the Virtual Data Center. What new risks and attack vectors is the hypervisor and software switching going cause.
2. Security of virtual machine images running in a VDI and/or on a hypervisor. So the security risks we deal with every day in our bare metal OS installs transported to a virtual environment, where they can (and most likely will) go through long stages of rest and then an immediate need. Things like patch management of images that haven’t been used for some time, outdated user credentials, virus control, etc.
3. Virtual instances of previously physical security devices. Going from a physical firewall and IPS to a virtual image running iptables and SNORT. There’s the first issue of doing this outright, and then there’s new developing technologies designed at offering this level of security specifically for virtual environments.

I think we are well on our way to having viable solutions for #s 2 and 3, and this is where most of those virtualization security conversations are ending up once we’re past the “which one” phase of the conversations, but I still don’t see a tremendous amount of public solutions on #1 (which is where I spend almost all of my research time). People are seeing these new solutions come out that address patch management and virtual firewalls so that’s what they’re thinking about and what they’re asking about. Don’t get me wrong: these are excellent questions. But I really have to play the terminology card again and suggest that when you’re thinking about virtualization security, that you define which problem you’re trying to solve with a particular solution. If you’re looking at virtualizing your data center infrastructure, and specifically for a full VDC, you’ll be concerned about each one of these and you will eventually have solutions for each of them (hopefully from single vendors that provide kernel-level coverage). So make sure you’re targeting the correct solution for the correct problem. The above is step one in the 4Ds: Define, Design, Develop, Deploy. You can’t run until you walk.

On a related note, I haven’t had the chance to do anything at RSA beyond walk the expo floor (no sessions due to work commitments), and I don’t think I’ve found one vendor specifically talking about any form of virtualization security. Last year at Interop there were quite a few, so we’ll have to see if they hit Interop over RSA (which sounds strange to me) or if I’m just missing them all. I did take a peek at the Secure Vantage station in the Microsoft booth; looks like they may be doing some cool stuff along the lines of applying Group Policies to systems via Operations Manager 2007. I’ll try to swing by their station later today and dig a bit deeper on their technology and see if there’s any virtualization overlap.

Back to the meetings…