RSA: Security Lags as Virtualization Picks Up

At a time when everyone is watching the bottom line, there is an increasingly strong impetus to virtualize IT environments.

"It is rare in IT that there is a technology that has an immediate and obvious return on investment," said Dave Shackleford, chief security officer at Configuresoft Inc.

By letting multiple services share a single physical platform, organizations can see a quick savings in the cost of hardware, licensing, power consumption and management. "They can see tangible results right off the bat," Shackleford said.

"That is wonderful for productivity and cost savings," said Amir Ben-Efraim, chief executive officer at Altor Networks. "[That] is why, with the bad economy, virtualization still is an active market."

"This is probably the hottest space in technology now," said Chris Farrow, vice president of market strategy at Configuresoft.

That popularity is reflected at this week's RSA security conference, where Shackleford and Farrow gave a presentation on virtual security for the second year in a row. If there is one topic as hot as saving money through virtualization, it is how to secure your new virtual environment. Two years ago, there was one presentation scheduled on virtual security at the conference. That increased to three last year and nine this year.

However, virtual environments are more flexible than physical networks, and their workings are largely hidden from traditional management and security tools.

"Even with traditional security, you have trouble keeping track of boxes, knowing if a box is up or down," Farrow said.

Virtual networks have all of the security vulnerabilities of physical networks, plus some unique ones, Ben-Efraim said. "This creates a brand-new network within your datacenter -- a virtual last mile -- and it's all inside the box," he said.

As with many technologies, virtualization's features have outpaced security, and vendors are now trying to catch up. Shackleford and Farrow began looking for guidance on virtual security in late 2006 and discovered a gap.

"There was no industry guidance on how to secure this technology," Farrow said, so he and Shackleford began working on a set of benchmarks. Since then, a number of guidelines and benchmarks have appeared, including the Security Technical Implementation Guides from the Defense Information Systems Agency.

But virtualization is not standardized enough for security practices to be mature. And many organizations are focusing too much on checklists and not enough on comprehensive security, Farrow said.

"What we see time and again is that people do the bare minimum to meet with the checklist," he said. Even though they meet audit requirements and comply with policies, they are not secure.

"All configuration standards and guidelines should be considered a bare minimum," Shackleford said. They are a starting point, not the goal.

He said many administrators are still waiting for vendors to provide tools that can protect a virtual environment without slowing it down too much. "The impact on performance in a virtual environment is compounded because they share the same physical platform," he said.

But Ben-Efraim, whose company makes a virtual firewall to protect network elements inside a single box, said adequate technology to secure virtual networks is already available.

"There are enough virtual security vendors with enough flavors and solutions to make your virtual implementation more secure," he said. The sticking point is a lack of awareness and consensus on best practices.

At least one company says securing a virtual world is not that difficult: IBM has announced that it is virtualizing its Proventia GX appliance for detecting and preventing intrusions.

It is "our first stab at virtualization," said John Pirc, product line and services executive at IBM Internet Security Services. It is the first product of IBM's Project Phantom to bring security into hypervisors.

The virtual system will have the same interface and functionality, but it will run on VMware ESX Version 3.5. It can put an intrusion-prevention system between a Web application and a database, in front of a Web server, at the network interface to a virtual server, or anywhere else connections and access need to be controlled. Its 700Mbps performance means that it won't slow the network, Pirc said.

Building a virtual intrusion-prevention system was not hard, he added. "It's really no different from a traditional IPS," he said. "The majority of it was a lot of quality assurance testing."

Pirc said that although virtual security is not fully mature, the task of developing it is not at the beginning of the curve. "Some changes remain to be made," he said. "I think we're halfway there."

About the Author

William Jackson is the senior writer for Government Computer News (


  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

  • A Quicker Way To Create Hyper-V Inventory Reports

    If you need to generate Hyper-V inventory reports but don't want the hassle of writing your own custom PowerShell script, here is a shortcut.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.