With nearly 12,000 attendees at VMworld, VMware's annual user and partner event in San Francisco this week, undoubtedly a majority of them will be pitched by a variety of security vendors touting the next big security technology that will mitigate virtualization risks and solve their compliance concerns.
But security experts expect attendees to keep their wallets in their pockets – at least for now. A recent study by Nemertes Research LLC found that 70% of those surveyed have no plans to deploy specialized virtualization security technologies in the near future. Ted Ritter, an analyst at Nemertes, said companies are securing data in virtual systems by relying on the same security basics that mitigate risks on physical machines. So far Ritter estimates deployments of specialized security technologies in the single digits.
"People are still using their physical security boxes and going through various convolutions to route all their virtual traffic through the physical boxes," Ritter said. "It works but it doesn't scale."
security moves to the fore in 2009 (Feb. 17, 2009)
Virtualization platform vendors such as VMware and Citrix gear up to enhance security, as mainstream security companies slowly adapt.
Virtualization challenges traditional security concepts: Despite some misgivings, IT security pros are finding virtual environments help centralize data, deploy patches more efficiently and thwart attackers. Listen to the interview:Steve Herrod,
Podcast: Steve Herrod, VMware senior vice president of R&D and CTO about both the security challenges and the opportunities presented by the migration from physical to virtualized data centers. Download Mp3
Ritter and other security analysts expect an increase in the deployment of virtualization security technologies once regulations and standards begin to address the technology. Currently the Payment Card Industry Security Standards Council is studying how virtualization affects the security of credit card data and whether virtual switches and firewalls could help mitigate the risk of data leakage. Other organizations are studying ways virtualization could be deployed with security in mind.
Meanwhile, security firms in VMware's VMsafe program are using the company's APIs to plug new versions of their products into the hypervisor, enabling them to create virtual security tools that work specifically in virtual environments with greater visibility and dynamic management over client virtual machines. Ritter said he expects some VMsafe products to be released this week, but most security firms are taking their time developing products.
"It's not a trivial endeavor to implement the API," Ritter said. "It apparently takes up a lot of resources to make it work right in terms of leveraging your capabilities."
There are a lot of specialized vendors that focus on securing virtual environments. Catbird Networks Inc. and Reflex Systems Inc. specialize in virtualization management and security. Altor Networks Inc. sells virtual firewall software, just to name a few. More established security players are also stepping into the market. Trend Micro Inc., which acquired host intrusion detection/prevention and application security vendor Third Brigade Inc., is rolling out a virtual appliance. Sourcefire Inc. is creating an IPS to handle virtual environments and Check Point Software Technologies Ltd. sells a firewall that can be deployed to monitor virtual traffic.
Still, Bret Hartman, chief technology officer at RSA, the Security Division of EMC, said much of the customer focus is on ensuring that security basics are in place no matter what kind of environment you're running.
"Right now CIOs are looking for guidelines that are practical and feasible to deal with; they are the principals they understand about information security and they're applying them in the near term," Hartman said. "There will be time for partnerships with VMware and others for the next security technology coming down the pike."
In a paper released by RSA and VMware called "Security Compliance in a Virtual World," the two vendors released steps companies deploying virtualization can take to mitigate risks. The best practices, which work in both virtual and physical environments, include platform hardening, configuration, access control and change management recommendations, as well as network segmentation and audit logging.
While the paper points to both RSA and VMware tools for configuring and managing virtual environments, it also suggests companies consider recommendations from the Center for Internet Security and the Defense Information Systems Agency, which focus on securing and configuring virtual environments.
"People are deploying virtualization and their hardwiring to be compliant, but every time you hardwire something, you lose the flexibility that virtualization gives you," Nemertes' Ritter said. "This is why people will eventually turn to specialized security tools."