alex_aldo - Fotolia
Published: 01 Dec 2015
The days when IT managers used different security products to protect their on-premises and cloud infrastructures are happily coming to a close. There's a growing awareness that migrating virtual workloads to new IT infrastructure requires different levels of protection with security mechanisms built-in.
As companies get more comfortable with virtual machines (VMs), and as this migration continues, it is no surprise that businesses are moving more of their workloads into the cloud, whether it's to test new applications, provide more elastic computing resources or save on capital expenditures.
"Cloud VMs are a core catalyst helping drive the level of innovation happening around the globe today," says Steve White, director of platform security and compliance at CenturyLink, a global communications and managed services provider. "Enterprises today must have a strategy for applying this continuum of capabilities wherever their data resides."
The virtualization security tools are also coming on board: Several third-party vendors now offer ways to secure VMs both in the data center and in the cloud, most notably with Amazon Web Services. Partnerships are forming amid rumblings of new hypervisor competition for enterprise stalwarts such as VMware, while tools and services designed to support a distributed dynamic data center are gaining momentum.
"Gone are the days when all of your data or your people sat behind the corporate firewalls, so cyberdefense strategy must adapt to this changing reality," adds White, who formerly served as senior manager of corporate IT infrastructure at Amazon and director of the Microsoft cybersecurity team.
The traditional IT versus cloud security issue isn't new; it's been hotly debated for years. As Dave Linthicum, senior vice president of Cloud Technology Partners, opined in his January 2014 column, "Clouds Are More Secure Than Traditional IT Systems—and Here's Why": "Many of those who deploy security around cloud or traditional systems don't understand what problems they are attempting to solve. You need to define those upfront." Part of the issue is gaining familiarity with how VM-rich infrastructures differ from their physical counterparts, such as how quickly they can scale up or down.
What is new is that the virtualization security products are becoming more inclusive in the types of cloud and on-premises hypervisors they support: Today you can find virtualization security tools that handle a wider cloud collection (including AWS, Microsoft Azure, Google Cloud and open source Linux platform OpenStack, among others) and other hypervisors besides VMware (including Microsoft's Hyper-V and open source KVM).
Steve WhiteDirector, security and compliance, CenturyLink
A new way of thinking about how corporations secure their infrastructure is also emerging. Just as software-defined networks have virtualized the network connection itself, the same is happening with network security. "You have to decouple your security platform from your infrastructure," says Alan Cohen, the chief commercial officer of well-funded Illumio, one of the application security startups that provides VM protection that works across both VMware and AWS environments. "What we are trying to do is to make it easier for businesses to move their applications into the cloud and have the security move along with the apps." In October, the company announced partnerships with Docker, Mesosphere and cloud hardware provider Nutanix.
Two related trends that are helping this new security model are that of microsegmentation, using virtualization security tools such as VMware's NSX, and containers such as Docker. Both make it easier to deliver more granular security around specific workloads and applications. "Containers are really just another layer of virtualization," says White. "What the virtual machine does for the hardware, containers do for the virtual machine. But what containers introduce is another layer of abstraction that needs to be properly managed. Businesses need to update their cybersecurity measures to account for the higher levels of abstraction and mobility they provide."
Virtualization Security Tools
So what tools should you use to secure your VMs? One place to start is the native virtualization security tools from the cloud and VM hypervisors themselves. In the case of VMware and AWS, this means taking a closer look at vShield and Elastic Cloud Compute's Security Groups respectively. What you'll quickly find out is that both are good first attempts but need more work, flexibility and features. That is where the security vendors that operate in this market segment come into play. For example, Catbird Networks, HyTrust and Trend Micro all interact with VMware's vShield but in different ways: Catbird adds a stateful firewall, and HyTrust and Trend Micro use vShield as a communications conduit to set up their different protective features for each VM.
Today at least a dozen vendors offer add-on virtualization security tools that operate in either hypervisors or in the cloud or both. The tools aren't directly comparable; they offer a wide variety of protective features and apply themselves in different ways to a mixture of hypervisors and cloud environments.
A good place to start is take advantage of most vendors' free trial offers to examine each tool and see how it performs in four specific security areas:
- Intrusion detection (IDS) and firewall features. This is the functionality that most people think of when they first hear about VM security and most of the products offer these features. Some tools take things a step further and encrypt data in motion between VMs, too.
- Compliance and auditing. This includes the ability to produce reports to understand various compliance requirements, such as Payment Card Initiative standards and the ability to audit access and administrative logs to track down what someone changed and when it occurred. Some of the virtualization security tools in our table have these features. But there is a wide variation in what they deliver. If compliance is important to you, it's worth spending time to clearly understand what each of these third-party cloud and virtualization security tools can realistically provide.
- Access controls. This includes being able to restrict access so that users can't stop or change any VMs on any protected host machine or in the cloud. Dome9, SafeNet, HyTrust and Trend Micro offer some of these features.
- Antivirus and antimalware protection. Similar to the AV tools in the physical world, these applications provide VM protection against these exploits. Trend Micro and Catbird have this feature.
It may also be time to reevaluate your traditional security products and understand how these new virtualization security tools can better protect your hybrid cloud deployments. As virtualization expert David Davis pointed out when the Microsoft Windows 2012 Hyper-V extensible virtual switch opened the doors to third-party security technology: "Keep in mind that when you move from physical servers to VMs, traditional backup and security products may not work as well."
Nexgate, a social media security and compliance provider, which is now a division of Proofpoint, has always been a cloud-based company, running exclusively on AWS. "We see many enterprises who are moving to the cloud and need an ability to enforce a consistent security policy no matter where their servers are located," says Richard Sutton, vice president of engineering. "You still have the same requirements to provide better access controls, IDS, malicious code scanning and prevention wherever your servers and applications are located."
The company uses Dome9's SecOps to manage security across its infrastructure in the Amazon cloud, according to Sutton, because you can't "just build a firewall around a physical network perimeter anymore." And it isn't just securing VMs, but "being able to plan for capacity and bring up new servers as well as retire old ones too," he says.
Whatever virtualization security tools you chose, the on-premises versus cloud security issues aren't going away. "Companies that continue to limit themselves to their on-premise solutions will quickly lose ground to their more nimble competitors who are fully leveraging the cloud," says CenturyLink's White. "The most successful companies will evolve their cyberdefense program to one that provides effective protection, detection, incident response and recovery capabilities no matter where the data resides."
About the author:
David Strom is a freelance writer and professional speaker based in St. Louis. He is former editor in chief of TomsHardware.com, Network Computing magazine and DigitalLanding.com. Read more from Strom at Strominator.com.
Understanding cloud VM risk scenarios and cloud stack security
How to argue the case for VM security in the cloud
Chris Hoff: Why bolted-on virtualization security needs to change