Thursday, October 23, 2008

A horse's ass approach to virtualization security - Part 3 - Data is the "constant"

The third in the series where I am trying to think through the current approaches to securing virtual environments...

See part one and two here...

Virtualization enables organizations to optimally manage their infrastructure resources. It can provide significant cost benefits (by sharing resources), flexibility (by just-in-time allocation of resources where they are needed), and agility (speed of provisioning resources). Therefore, organizations have been able to virtualize:

  • Devices/OS: Companies such as VMWare, Citrix, Microsoft, and Sun are providing hypervisor, virtual machine, and virtual device solutions where several virtual “devices,” “servers,” or “desktops” can mimic separate physical devices.
  • Networks: Virtualized networks enable dynamic collaboration by slicing bandwidth into virtual, isolated channels that can be assigned to a particular set of devices, real or virtual. Setting up new connections and collaborative environments becomes extremely easy.
  • Applications: Virtual applications can either be streamed down to execute on local desktops (Microsoft App-V or Altiris SVS) or executed remotely from server farms such as Citrix XenApp. This allows applications to be portable and accessible from anywhere while reducing inter-application conflicts.
However, organizations will never be able to virtualize the fourth element, I talked about in teh second blog post — the data itself. The focus of device, network, and application virtualization is about flexibility, resource sharing, and agility. This involves short life spans, since these elements are brought up to fulfill a specific short term task, and upon completion, they are brought down or even deleted. Data, however, has a lifetime beyond the short term and will therefore live on for further use or analysis in a non-virtual or subsequent virtual world.

This makes data the “constant” in a dynamically changing environment — even if the location of data itself is virtualized. Data will also have the longest lifetime of the four elements in the infrastructure and thus will have to live “outside” of the virtual environment. Therefore, from a security standpoint, it is imperative that data becomes the focus of protection - and we dont just continue protecting the infrastructure. Data is the critical asset, and since it travels across boundaries and lives longer than virtual elements, it can be easily compromised.

Wednesday, October 22, 2008

A horse's ass approach to virtualization security - The four horsemen

I opinioned a bit about the current approaches to virtualization security and how they might be failing to address current and future threats - let me explain further what I mean.

In the previous blog I gave a summary of my argument. In this second blog of the series I want to talk about the four elements that make up every computing environment
(i.e. the four horsemen :)): This will setup the argument I hope to make in my next blog.

  • Devices: These are the hardware and operating system combinations that host or store the execution environment.
  • Applications: Applications execute on host environments (devices + OS) and transform data into information useful for the business.
  • Data: Digital representation of information that is acted upon by applications.
  • Networks: Enable collaboration and the sharing of information across multiple devices and/or applications.
All four are absolutely essential to complete any transaction in the modern business world. However, to gain competitive advantage, organizations are looking to optimize the usage of these four elements. Technology, flexibility, and agility are becoming increasingly important in a fast-changing business world and have therefore led to the rise of virtualization.

In my next post I will discuss how these elements are being changed in a virtual environment and what impact it has on security.

Monday, October 13, 2008

A horse's ass approach to virtualization security

The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual “devices,” networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining “constant” element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...