Virtualize Securely - VM Introspection and Automated Security in Action

Johnnie Konstantas

Subscribe to Johnnie Konstantas: eMailAlertsEmail Alerts
Get Johnnie Konstantas: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Blog Feed Post

Love Is In the Air For Virtualization Security

Some of the industry’s biggest names have come together to propose an architecture for the safe deployment of virtualized applications

Maybe it’s the time of year or maybe it’s simply that the time is right in the virtualization adoption curve (see CDW Study: Market is Virtualization Friendly, Yet Concerns Remain) but virtualization security concerns are spurring partnership among some of the industry’s biggest names. Cisco, NetApp, and VMware have recently come together to propose an architecture for the safe deployment of virtualized applications and cloud computing environments. The collaboration has resulted in an 80 page document which outlines how to secure compute, network and storage resources. It puts forward, Four Security Pillars: Availability, Secure Separation, Service Assurance and Management. At the center of the Cisco, NetApp, VMware proposed-architecture is a virtual-firewall — the primary security layer for securing the virtual machines themselves.

The purpose of the paper is to help guide customers in the use of technologies for securing their virtualized workloads, especially in those environments where critical and compliance intense information must have all possible means of protection in effect.

Pages 3-4 succinctly summarize the customer use cases:

  • Large enterprises need to isolate HR records, finance, customer credit card details, etc.
  • Resources externally exposed for out-sourced projects require separation from internal corporate environments.
  • Health care organizations must ensure patient record confidentiality.
  • Universities need to partition student user services from business operations, student administrative systems, and commercial or sensitive research projects.
  • Telcos and service providers must separate billing, CRM, payment systems, reseller portals, and hosted environments.
  • Financial organizations need to securely isolate client records and investment, wholesale, and retail banking services.
  • Government agencies must partition revenue records, judicial data, social services, operational systems, etc.

The pages that follow do a very thorough job of nearly creating a specification for the ideal virtual firewall. Customers are well advised to read the document in its entirety but we’ve consolidated the salient points (yes it helps us too) and reference pages for you here:

  • Allows role-based duty separation for network, security, and vSphere administrator duties (page 7)
  • Delivers secure separation between VMs – (page 25)
  • Facilitates ease of management, configuration, and auditing of access policies (page 29)
  • Allows one to set sophisticated security policy rules within tenants to protect tenant virtual machines from malicious traffic from the outside (page 30)
  • Enforces security policies between VLANs (page 31)
  • Provides traffic monitoring, and allows for the forensic analysis of VM traffic flows (page 32)
  • Create security zones on top of VLANs, and ensure no cross-talk between zones (page 32)
  • Creates a positive security model where only needed applications and services are allowed to be accessed from the virtual network (page 32)
  • Protects inter-tenant resources (page 34)
  • Implements sub-tenant security rules: Web, App, DB (page 34)
  • Offers VM level access control and separation (page 39)
  • Reports on network activity for discovery, historical analysis, forensics and troubleshooting (page 69)

Needless to say we think these specifications and Altor are a match made in heaven but to make sure you’re getting the whole picture, we’d like you to consider adding these must have requirements to the solution you evaluate and test.

  • Performance – near 10GBps or near zero reduction in host VM capacity
  • Fine grained security – between and within zones so that each VM is uniquely protected
  • Zero-day Protection – integrated intrusion detection so that allowed traffic also gets the benefit of security and risk mitigation
  • Hypervisor-agnostic architecture so that VMware, Citrix and Microsoft virtualized environments can have security parity
  • Integration with existing data-center infrastructure like virtual switches, 3rd party security products, diagnostic tools etc.

Read the original blog entry...

More Stories By Johnnie Konstantas

Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings.

Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems.

Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a BS in Electrical Engineering from the University of Maryland.