Does Virtualization Security Really Matter?

May 12, 2010
Old Physical Security

Is old-school physical security really 'good enough' for virtualization?

Whatever happened to virtualization security?

Back in the day, everyone was talking about blue pills and red pills, about sideways attacks and DOM-0 threats, about security profiles and isolation policies, about perimeter defense and security embedded in the hypervisor.

Then, all of a sudden, the buzz seemed to disappear. It really seems like organizations simply don’t have the time, money, desire, or otherwise to pursue dedicated virtualization security.

Indeed, it seems like most of the pure-play virtualization security vendors have folded, been sold, or reworked their strategy.

For example:

  • Blue Lane ended up being sold to VMware, reputedly at a bargain price, after failing to get any traction.
  • Third Brigade was rolled up into Trend Micro, and now offers a solution for combined ‘physical, virtual and cloud’ protection.
  • Reflex and Catbird have repositioned to highlight their value in configuration, compliance, and/or systems management (in addition to their security value).
  • Tripwire and Configuresoft have long promoted some virtualization security values, but were never really pure-play virtualization security vendors.
  • Even security specialists like Symantec and RSA do not push virtualization security products, preferring mainly to build on existing security paradigms to support virtualization.
“Even security specialists like Symantec and RSA do not push virtualization security”

Of course VMware still has vShield Zones and the VMsafe API, but of the ISVs it seems that only Altor Networks still plays strongly in the pure-play virtualization security space.

This barely sustaining demand for pure-play virtualization security was reinforced last week in new research from Prism Microsystems (PDF), a software vendor in the SIEM market* (which I learned about in eWeek via @JSchroed). Possible vendor/sample bias aside, this research showed quite starkly how many respondents are securing their virtual environment using traditional (or no) security, and how few are using virtualization-specific security:

Prism Microsystems, ‘2010 State of Virtualization Security Survey’, April 2010

Source: Prism Microsystems, ‘2010 State of Virtualization Security Survey’, April 2010

In confirmation of this ennui, Gartner recently predicted at least a 5 year maturity cycle for virtualization security.

All of this is especially perplexing, because there is no doubt virtualization security is still top-of-mind for some very smart and dedicated people. The Prism Microsystems research, for example, says that 86% of its respondents acknowledge that securing virtualization is as important as securing their physical environment.

So I am unclear as to what is causing this lack of market interest. Perhaps CIOs (and/or CISOs):

  • saw virtualization security as unnecessary insurance against threats that have never played out ‘in the wild’
  • rated the potential financial impact of any additional risks as low enough that they can simply accept them
  • believe that vShield Zones and VMsafe are all that is needed (but what about Hyper-V, Xen, etc.?)
  • decided instead to invest in management disciplines with more straightforward ROI (virtualization, automation, configuration management, asset management, etc.)
  • have simply been unable to justify virtualization security purchases during the economic downturn

Whatever the reason, it really does focus the question: does virtualization security really matter?

“Virtualization security is more important theoretically than in practice”

In my opinion, it absolutely does. Yet, it seems to me that decision makers are saying that standalone virtualization security is more important theoretically, from a technology and business perspective, than it is in practice. Most enterprise buyers – for better or worse – apparently believe that their existing security paradigns are at least ‘good enough’. They definitely appear instead to be taking classic intrusion detection, data loss prevention, identity & access, and other entrenched security management disciplines, and adapting them to the new technologies of virtualization (and probably cloud as well).

All of which actually does make sense. Without any major virtualization-specific exploits in evidence, perhaps they are right. While it may be valid to take the view that  it is only a matter of time until they are proven wrong, perhaps extending traditional security capabilities into the virtual world is indeed a good approach, at least for now.Perhaps CISOs are actually ahead of the game, integrating management across virtual and physical domains even while their systems and operations counterparts are maintaining virtualization as a silo.

Regardless of whether it is the right approach or not, one thing is apparent – the heat is off the pure-play virtualization security market, at least for now. As CIOs and CISOs focus on applying traditional physical security paradigms on their virtual environments, a different breed of cross-domain, integrated, and extensible tools are proving superior value – at least for now.

Tags: , , , , , , , , , , , , , , , , , ,

5 Responses to Does Virtualization Security Really Matter?

  1. May 13, 2010 at 11:26

    Andy – you might want to speak to your colleagues in the IAM business, and those focusing on privileged identity management, for a different perspective.

    • May 13, 2010 at 17:58

      Hey Steve, thanks for reading, and commenting.

      I don’t want to make this blog too much about CA, but I am talking with CA’s IAM team about privileged identity management for virtualization. I don’t think CA has the problem that I am describing, because our heterogeneous approach applies existing tools to virtual environments, which seems to be the preferred option. As I mention in the 2nd-last para, it may even be a best practice.

      It is the pure-play virtualization security tools that seem to be under-deployed.

      I would love to hear your further thoughts.

      • May 14, 2010 at 13:28

        Past performance is no indication of future activity, as they say. The standalone players have been through a few mutations as a matter of necessity, but we see the early stirrings of sustainable growth – a) because virtualization is reaching real scale, requiring integrated management and b) desktop virtualization is becoming a reality – albeit driven by specific use cases, and with different approaches along the continuum required for distinct user populations.

        • May 15, 2010 at 00:20

          Oh, I’m certainly not saying never. Just right now. 🙂

          And I am well inclined to agree on both points. Integrated management is fundamental to scalability, and desktop virtualization is a whole new kettle of fish. I will be interested to see how the latter plays out especially.