This article can also be found in the Premium Editorial Download "Information Security magazine: New security strategies for the bring-your-own-device era."
Download it now to read this article plus other related content.
VMware’s announcement of its VMsafe initiative four years ago was big news for the security industry. The virtualization giant’s plan to provide security vendors with APIs to develop
But it didn’t take long before industry analysts and observers began noting a lack of results. It took over a year for the company to release the VMsafe APIs and with a few exceptions, security vendors seemed to talk more about plans and prototypes than actual products.
Today, the VMsafe program is effectively in mothballs as the company reworks its playbook based on APIs for its vShield security technology. Despite the re-shuffling, VMware remains intent on supplying its security partners with the means to provide integrated products. It’s a strategy that’s becoming more urgent as companies move their mission-critical applications into virtualized environments and private clouds, making security and compliance requirements more pressing.
“Our security strategy is to do what it takes to enable people to make this journey to the cloud,” says Jonathan Gohstand, director of product marketing for the networking and security groups at Palo Alto, Calif.-based VMware.
Yet while VMware continues to plug away on the security front and more security vendors have released integrated products, its own security products appear to put it at competitive odds with security partners. Let’s take a closer look at the VMware security strategy, the bumps along the way, and the company’s plans for the future.
Virtualization security: An inconvenient truth
A few years ago, security wasn’t something virtualization vendors wanted to deal with, says Paula Musich, senior analyst at research firm Current Analysis. “There was a reluctance on the part of the hypervisor providers to acknowledge that security was an issue. They were thinking that by ignoring it, it wouldn’t be an issue,” she says. “VMware was the first to acknowledge that you can’t just ignore it, that you have to put some effort behind making the environment secure.”
VMware has been building up its security capabilities with a series of security acquisitions over the past five years.
2007 – VMware quietly stepped into the security space in with its purchase of Determina, a Redwood City, Calif.-based provider of host-based intrusion prevention products.
2008 – In another deal, VMware went about without fanfare, the company acquired Cupertino, Calif.-based Blue Lane Technologies. The company made VirtualShield, which provided inline threat protection for virtual machines.
2010 – VMware bought TriCipher, a Los Gatos, Calif.-based supplier of identity and access management services.
2011 – VMware acquired PacketMotion, a Sunnyvale, Calif.-based provider of security monitoring technology for virtual and physical environments. The company also bought New Brighton, Minn.-based Shavlik Technologies, a supplier of patch and configuration management software that can be configured to work in virtual environments.
VMware started its foray into security by acquiring Determina, a provider of host-based intrusion prevention technology, in 2007. It followed up that deal with its VMsafe technology in early 2008. The VMsafe APIs weren’t released until April 2009, but eventually a handful of vendors released products based on them, including Check Point Software Technologies, Reflex Systems and Altor Networks (later acquired by Juniper Networks). Other big name security vendors such as Symantec and McAfee were noticeably quiet.
The problem, says Musich -- who wrote an in-depth report on VMware’s security efforts last fall -- is that the VMsafe APIs were “so low level, so far down in the weeds for most of the security vendors to really get a handle” on them. They proved too difficult for security companies to use, she says.
A security expert who works closely with VMware says the partners in the VMsafe program “got deep dive access” to VMware APIs and kernel capabilities – access that VMware eventually pulled back on. “The general impression is they completely opened the kimono early on, but they didn’t really need to,” he says.
Gohstand readily acknowledges the VMsafe program “wasn’t the best model.” The idea was to allow partners to write kernel-level code to fulfill security requirements, but that can lead to incompatibility issues, management difficulties and doesn’t scale well, he says.
New program in the works
VMware’s security APIs are currently focused mostly on vShield Endpoint, which offloads antivirus scanning to a virtual appliance provided by VMware partners. It also includes a driver for virtual machines to offload file events, and VMware technology to link the components at the hypervisor layer. Two years ago when vShield Endpoint was announced, Trend Micro was the lone vendor to produce a product based on the APIs – Deep Security – and has been highly successful with the server security software, according to Musich.
This year, other antivirus suppliers have announced products based on the vShield Endpoint APIs, including Symantec, McAfee, and Bitdefender.
Gohstand, who came to VMware last year with the company’s acquisition of security monitoring company PacketMotion, says VMware plans to release more APIs that will provide access to a data flows – a piece that’s been missing. “Let’s say my requirement is Web application firewalling or database monitoring in front of a workload,” he says. “How can I do that in a scalable manner and provision it quickly? It’s impossible using the usual techniques…That’s what these APIs will enable.”
The APIs address one of the overarching issues in virtualization security: With more servers consolidated on a single host, the traditional security model of putting agents on each machine won’t work, he says. Later this year, VMware plans to announce a new program around the APIs, which Gohstand says will be a better fit for security partners than VMsafe.
The drive toward virtualizing critical business applications has put a sharper focus on virtualization security in the enterprise, Gohstand says. Companies initially virtualized just their development and testing systems without paying much attention to security. “Now we’re seeing more critical applications getting moved over. You can’t play fast and loose with security anymore,” he says.
VMware also is trying to address the growing enterprise interest in building private clouds as well as increased adoption of virtual desktop infrastructure. Gohstand says VMware wants to help its security partners not just create virtual versions of their products, but also to build truly integrated products that provide better security based on the context provided by VMware infrastructure.
“In the past, security was such a bolt on thing – not well integrated, not much context,” he says. For example, an organization might have a database activity monitoring tool but not even know where all their databases are. “That’s where VMware, working with its partners, is going to change the game; we have context.”
VMware is bullish on its security partnerships but the backpedaling on VMsafe combined with the emergence of VMware’s own security products hasn’t helped VMware’s image with security vendors, says Dave Shackleford, virtualization security expert and owner and principal consultant at Voodoo Security.
In 2009, VMware rolled out vShield Zones, based on its acquisition of virtualization security provider Blue Lane Technologies. VMware’s vShield line now includes vShield Edge, which provides firewall, VPN, Web load balancer, NAT, and DHCP services as a virtual appliance, and vShield App, a hypervisor-based firewall. VMware also continued to acquire security vendors with its PacketMotion and Shavlik Technologies purchases.
“They’re making a PR effort about embracing partners, but there’s a lot of speculation now because they have their own product line,” Shackleford says. “People see it as cannibalizing their own partners.”
In her report last fall, Musich noted that VMware was sending mixed signals to potential partners “by acquiring or developing specific security functions that compete with products from those same partners.”
For its part, VMware says it’s only focusing on key areas where it feels it needs to have a direct security offering, not the broader security space. “If you created virtual data centers, you need some way to get out of the data center into the rest of the environment. That is typically a firewall, gateway function,” Gohstand says. “We felt it was important for us to have some level of edge firewall capability to build out the virtual data center and not completely depend on partners.”
vShield App is essentially a firewall tightly coupled to the workload, he says. “The real idea is that those capabilities are focused on enabling those few critical things we’re working on now in terms of getting people to the cloud, the virtual data center and [virtual] desktops. Those are the pieces we’re focusing on, not the general security space. The whole security space is so diverse and dynamic – there’s always a place for focused players,” he says.
A complicated evolution
Industry experts say they don’t begrudge VMware’s need to have its own security technology. At the same time, they say the company needs to work carefully with its partners.
Citrix’s Security Efforts
VMware rival Citrix Systems takes a different approach on the security front, according to Paula Musich, senior analyst at research firm Current Analysis.
“Citrix sets itself apart from VMware in emphasizing greater security in its code development process,” she wrote in a report last fall. “While VMware’s ESX and ESXi servers require customers to harden the hypervisor, using a standard set of guidelines, XenServer ships with such hardening built in.”
Citrix also has built an ecosystem of security partners, which have varying levels of involvement under the “Citrix Ready” label, she wrote. McAfee was among those offering deeper integration with its Management for Optimized Virtualized Environments Antivirus, according to Musich.
A Citrix representative wasn’t available for an interview for this article.
“I understand why they would continue to drive their own technology. They have a self interest in making their platform as secure as possible,” says Jon Oltsik, senior principal analyst at Enterprise Strategy Group. “To the extent they need to enhance that with additional products, I understand that. Microsoft does the same thing with Windows.”
“But what I would recommend is working with as many partners as you can and understand that the right thing to do is make sure security people can manage virtual and physical workloads in a common kind of method. No one has virtualized their whole environment,” he adds.
“VMware has to have those products – it needs to be able to stand alone regardless of the existing [security] ecosystem,” says Chris Hoff, chief security architect at Juniper Networks and virtualization security expert. “But what needs to happen is the way in which the ecosystem can engage needs to be a level playing field.” In addition, VMware needs to make it possible for products brought into its environment to be as stable and resilient as its own, he adds.
The new APIs will allow for better and easier integration, Hoff says. That’s largely driven by customer demand for better integration with the security capabilities of other vendors. They’ve already invested heavily in security technologies and don’t want the operational burden of retraining the security team on new security capabilities that may or may not integrate well, he says.
Hoff says there is a natural tension between the platform owner, VMware, and a security ecosystem that’s trying to adapt to the disruption brought by the new platform and virtualization and cloud in general. “The security industry is used to delivering things with a box wrapped around it. On the VMware side, it has the unenviable task of needing to deliver a high-quality product, the platform itself, and trying to deal with a well-established ecosystem that’s kind of set in its ways.
“There’s difficulty on both sides to figure out how to deal with new threats, these new operational methodologies, as well as an evolving and disruptive platform.”
Building security assurance in the cloud
With its focus on reworking and expanding its APIs, VMware is clearly determined to succeed at building a large network of security partners that will help customers virtualize mission-critical applications with confidence those applications will be secure and compliant, according to Musich.
Virtualization has become mainstream, she says, with more production applications being virtualized. “In the next year, we’ll see more issues arise out of that,” Musich says. “There’s some real potential wealth worth stealing that’s moving into virtualized environments. It’s only a matter of time before malware writers figure out how to go after that wealth.”
The security industry needs to take a proactive stance when it comes to securing the hypervisor, despite the lack of actual attacks on the hypervisor, says Rishi Bhargava, senior director of product management, data center and server security at McAfee. “You can’t play ostrich just because it hasn’t happened,” he says.
Organizations need assurance before moving their mission-critical applications to virtual and cloud environments, he says. They want to know if they can get the same security and compliance metrics in those environments as they do their internal physical ones. “Most of the cloud providers aren’t exposing those metrics… It will be an interesting challenge for us in the industry to solve – how to get customers that visibility back,” Bhargava says.
Symantec is working on an expanded set of technologies and use case scenarios to understand the unique scenarios that can occur as an organizations move into virtualization and the cloud, says Todd Zambrovitz, the company’s global marketing manager for virtualization. “VMware has been astute in helping us identify these new scenarios of the future,” he says.
At RSA Conference 2012 in February, Symantec and VMware announced five integrations, covering data loss prevention, hypervisor protection, endpoint security, security information management and compliance. All are scheduled for release this year.
“It’s not just about elementary antivirus scanning. The industry has been a little complacent in its focus there,” Zambrovitz says. The integrations announced at RSA take a broader view of security, taking advantage of the platform, the applications, the data and users, he says.
Gohstand says he likes how some of the Symantec integrations aren’t technically complex. Customers will see integration with additional security partners soon, he says.
“We’ll see the ball rolling a lot faster than it has before.”
Avoiding AV Storms
In April, McAfee launched an agentless deployment option for its Management for Optimized Virtual Environments (MOVE) antivirus product that integrates with VMware vShield Endpoint. The software is designed to allow users to secure virtual desktop infrastructure (VDI) and virtual server environments without running into the dreaded “AV storm” problem and sacrificing performance.
“Any host-based security tool requires installation of an agent into the system and every single agent requires resources,” says Dave Shackleford, owner and principal consultant at Voodoo Security and a virtualization security expert. “In a virtualized platform, all those VMs share resources. If you have 20 or 30 VMs sucking the memory and everything else dry because their antivirus agent spun up, it becomes an availability problem.”
Working with VMware, Trend Micro pioneered the agentless approach to tackling AV storms. Kaspersky Lab announced in February that it will support vShield Endpoint with an agentless product later this year.
Symantec also plans to leverage vShield Endpoint with new endpoint security software scheduled for release in the second half of this year. Todd Zambrovitz, global marketing manager for virtualization at Symantec, says the technology uses a variety of methods, including cloud-based antivirus scanning and scan de-duplication to prevent performance issues like AV storms while also improving antivirus effectiveness. Security analysis will be offloaded to a dedicated virtual appliance.
“This in the near-term will be an agent-based approach,” he says. “We’re continuing to look at where it makes sense to leverage agentless capabilities.”
About the author:
Marcia Savage is editor of Information Security magazine. Send comments on this article to firstname.lastname@example.org.
This was first published in April 2012