Is old-school physical security really 'good enough' for virtualization?

Whatever happened to virtualization security?

Back in the day, everyone was talking about blue pills and red pills, about sideways attacks and DOM-0 threats, about security profiles and isolation policies, about perimeter defense and security embedded in the hypervisor.

Then, all of a sudden, the buzz seemed to disappear. It really seems like organizations simply don’t have the time, money, desire, or otherwise to pursue dedicated virtualization security.

Indeed, it seems like most of the pure-play virtualization security vendors have folded, been sold, or reworked their strategy.

For example:

• Blue Lane ended up being sold to VMware, reputedly at a bargain price, after failing to get any traction.
• Third Brigade was rolled up into Trend Micro, and now offers a solution for combined ‘physical, virtual and cloud’ protection.
• Reflex and Catbird have repositioned to highlight their value in configuration, compliance, and/or systems management (in addition to their security value).
• Tripwire and Configuresoft have long promoted some virtualization security values, but were never really pure-play virtualization security vendors.
• Even security specialists like Symantec and RSA do not push virtualization security products, preferring mainly to build on existing security paradigms to support virtualization.

Of course VMware still has vShield Zones and the VMsafe API, but of the ISVs it seems that only Altor Networks still plays strongly in the pure-play virtualization security space.

This barely sustaining demand for pure-play virtualization security was reinforced last week in new research from Prism Microsystems (PDF), a software vendor in the SIEM market* (which I learned about in eWeek via @JSchroed). Possible vendor/sample bias aside, this research showed quite starkly how many respondents are securing their virtual environment using traditional (or no) security, and how few are using virtualization-specific security:

Source: Prism Microsystems, ‘2010 State of Virtualization Security Survey’, April 2010

In confirmation of this ennui, Gartner recently predicted at least a 5 year maturity cycle for virtualization security.

All of this is especially perplexing, because there is no doubt virtualization security is still top-of-mind for some very smart and dedicated people. The Prism Microsystems research, for example, says that 86% of its respondents acknowledge that securing virtualization is as important as securing their physical environment.

So I am unclear as to what is causing this lack of market interest. Perhaps CIOs (and/or CISOs):

• saw virtualization security as unnecessary insurance against threats that have never played out ‘in the wild’
• rated the potential financial impact of any additional risks as low enough that they can simply accept them
• believe that vShield Zones and VMsafe are all that is needed (but what about Hyper-V, Xen, etc.?)
• decided instead to invest in management disciplines with more straightforward ROI (virtualization, automation, configuration management, asset management, etc.)
• have simply been unable to justify virtualization security purchases during the economic downturn

Whatever the reason, it really does focus the question: does virtualization security really matter?

In my opinion, it absolutely does. Yet, it seems to me that decision makers are saying that standalone virtualization security is more important theoretically, from a technology and business perspective, than it is in practice. Most enterprise buyers – for better or worse – apparently believe that their existing security paradigns are at least ‘good enough’. They definitely appear instead to be taking classic intrusion detection, data loss prevention, identity & access, and other entrenched security management disciplines, and adapting them to the new technologies of virtualization (and probably cloud as well).

All of which actually does make sense. Without any major virtualization-specific exploits in evidence, perhaps they are right. While it may be valid to take the view that  it is only a matter of time until they are proven wrong, perhaps extending traditional security capabilities into the virtual world is indeed a good approach, at least for now.Perhaps CISOs are actually ahead of the game, integrating management across virtual and physical domains even while their systems and operations counterparts are maintaining virtualization as a silo.

Regardless of whether it is the right approach or not, one thing is apparent – the heat is off the pure-play virtualization security market, at least for now. As CIOs and CISOs focus on applying traditional physical security paradigms on their virtual environments, a different breed of cross-domain, integrated, and extensible tools are proving superior value – at least for now.

Microsoft and Opalis

Today Microsoft Corporation (NASD:MSFT) announced a definitive agreement to acquire Opalis Inc., the leading independent vendor of IT Process Automation (ITPA) software.

IT Process Automation (ITPA) is a Data Center Automation (DCA) discipline that EMA defines as “the ability to automate and integrate the workflow of complex, multi-discipline IT management processes.” This automation can replace many manual, resource-intensive, and error-prone activities that typically cross multiple IT components, disciplines, and/or departments. ITPA delivers exceptional results including freeing up 77% more staff for strategic projects, providing more than 60 additional hours of system availability per year, and saving an average $500,000 more per year on staff costs than other Data Center Automation (DCA) disciplines.

This space has been gaining interest, both expanding and consolidating, for some time, as evidenced by significant development and acquisition activity from Novell (ZENworks, PlateSpin), HP (Opsware, iConclude), BMC Software (RealOps, Atrium), NetIQ (Aegis), Symantec (T-Logic, Altiris), and CA (Optinuity, Spectrum).

I think this is an excellent move by Microsoft. It will certainly make customers of both companies very happy. Microsoft and its customers gain an exceptional solution, in a discipline area that Microsoft was clearly lacking, and one which delivers many proven and exceptional benefits. For Opalis customers, it is probably a mixed bag. It will be a major change, but with Microsoft’s strength and stability, it is likely to be a positive outcome overall for Opalis customers.

This is, however, a huge blow for competitors, especially for the few large management vendors that have not yet acquired or built an ITPA solution or components, or whose own ITPA capabilities are less than stellar. For other large mgmt vendors with credible or better ITPA capabilities, this is both an opportunity and a threat. For mid-sized vendors that compete with Opalis or Microsoft Systems Center, and especially smaller vendors, this is a horrible result. Overall, most vendors will have to hustle to respond, although many will be unable to do so.

Meanwhile, Microsoft, Opalis, and their customers should be ecstatic with this deal. Few acquisitions are so clearly positive for the stakeholders as this.

You should be able to check out what the executives from both companies have to say in their blog posts:

• Blog post from Brad Anderson, Microsoft Corporate Vice President: http://blogs.technet.com/systemcenter/default.aspx
• Blog post from Todd DeLaughter, President & CEO of Opalis Software: http://www.opalis.com/blog.asp?id=1

Meanwhile, I will be expanding on the impact of this acquisition very soon with a full EMA Impact Brief. Keep your eyes out for that one – lots of significant implications for customer and competitors, without doubt!

Good for them!

What I liked most was that they are trying to break down the barriers between systems and security management. Certainly this is something that I discuss regularly with enterprises – the need to stop focusing on silo-based management, and perhaps even more importantly, to stop pandering to silo-focused low-level managers. Almost all of the CIOs, VPs, and IT Directors who I talk with are critically aware of the problems these silos cause – including human errors, resource inefficiencies, security problems, and higher costs.

This is also a constant discussion I have within EMA, especially with the lead of our security practice, Scott Crawford – a brilliant mind on security (amongst many other subjects) who constantly thinks about security in ways I never could or would. We work and publish together on this topic frequently. Indeed, it has come up again in our latest research, which shows that security and risk management are a fundamental requirement for cloud computing – or what EMA calls the ‘Responsible Cloud’.

The upshot of all these conversations is simple – security management and systems management are not, cannot, and should not be completely separate. Not in human terms, not in processes, and not in technologies. Without doubt, anyone in a large enterprise who has ever tried to implement a patch, a configuration change, a firewall update, a software release, or a hundred other data center changes will attest to this in a heartbeat.

Of course (as Scott rightly pointed out when I last spoke with him about this), we will always need security experts, and systems experts – the two disciplines are not the same, and we will always need deep domain expertise in each. So I am not advocating complete convergence. But we need more software tools that provide integration and interoperability that allow these professional to work more effectively together.

While multi-function vendors like CA, Symantec, IBM, and others have the product portfolio to approach these cross-silo problems holistically, there are few ‘best of breed’ vendors thinking this way. Of course, Tripwire and the ever-inspiring Gene Kim (who I have sadly never met) spring to mind for me; so would Configuresoft (although now as part of EMC Ionix, hardly a niche vendor), and the indefatigable Dennis Moreau. Both inspire their teams, technologies, and customers by championing a fundamental understanding that systems and security cannot, at their heart, be completely separated.

(As an aside, these two seem like they would have been incredibly compelling arch-enemies in some ubergeek superhero genre – although I would never want to choose which should be the hero and which the villain!)

I must say that, so far at least, I don’t know the product design team from Reflex personally – guys like Hezi Moore, Aaron Bawcom, and Mike Wronski – as well as I do Dennis or Gene. However, I do know that they all have very credible security chops. Plus, one thing is clear to me.

They get it. They really get it.

And that in itself is a thing of rare beauty.

Deliberately designing functionality that addresses both security and systems management – like functional isolation, integrated access control, change segregation, granular audit trails, policy based management, and role-based access – into a systems management toolset is a rare feat, especially in startup and niche products. It is something I look for all the time, because my enterprise clients often demand it. Sadly, all too often I fail to find it – and I am not even a real security wonk! When I do, I am pleasantly surprised. When I see deep thought going into the security value of a systems management product, I am almost ecstatic.

Unfortunately, the challenge for vendors like Reflex and Tripwire (as it was for Configuresoft, and perhaps is still for EMC, Symantec, etc.) is to find customers that value this synergy. While most high-level IT execs understand this imperative, their holistic view frequently does not translate to many of their lower-level managers, or to many functional IT practitioners.

Of course, there are plenty of departmental ops managers and security managers who do get it. They strive to connect their teams with other groups, driving greater business efficiency and effectiveness as a result. However, unfortunately, many do not, instead focusing on protecting their small empires, walling themselves off from integrated management and cross-functional resourcing.

Similarly, many positive-minded individual technicians will actively seek out cross-skilling opportunities, recognizing that it makes them not just more useful but also more valuable, and more indispensable. However, many practitioners (both security and ops) can be just as bad as the most myopic managers (who they often work for), dogmatically eschewing integrated management tools and processes, seeing them as threats to their own personal domains of control.

Sad but true, best practices like breaking down IT management silos are not always adopted.

Fortunately, vendors like Reflex and Tripwire that have expertise and passion in both ops and security (and – shameless plug – trusted advisors like EMA, which is big enough to have experts in both disciplines, yet small enough that we still work together), are trying to break down these barriers.

And more power to them. They serve their clients much better by promoting the undeniable facts that security values are critical to systems management, and systems management is critical to security.

In the report, I defined ‘Endpoint Virtualization’ as:

a (mostly) new set of technologies aimed at abstracting the end user experience – typically their logical desktop, application, and/or workspace environments – from the physical systems they rely on to provide that experience – typically a physical desktop or laptop PC.

This primary research covered many different technologies, including:

• Application Isolation – where an application is installed locally, but in a ‘bubble’, ‘sandbox’, or ‘layer’ that does not use the standard installation (e.g. VMware ThinApp, Novell ZENworks Application Virtualization)
• Remote Application Virtualization – where end users access a single-user application hosted on a remote/data-center system on the corporate LAN (e.g. Citrix XenApp, Microsoft App-V)
• Application or OS streaming – where an application or desktop OS is delivered incrementally from a remote/data-center system on the corporate LAN (e.g. Symantec Workspace Streaming, Endeavors)
• Remote (server-hosted) desktop virtualization – where a user accesses a full desktop environment from a remote/data-center system on the corporate LAN (e.g. Quest vWorkspace, Citrix XenDesktop)
• Local (client-hosted) OS virtualization – where a user runs multiple independent operating environment(s) locally on top of their standard operating system (e.g. MokaFive, VMware Fusion)
• Client-Side Hypervisor – where a user runs multiple independent operating environment(s) locally directly on the BIOS, without an underlying operating system (e.g. Virtual Computer NxTop, Neocleus)
• Browser-based applications – applications hosted on a corporate Web server, accessed over the LAN via a Web browser, with little or no local code installation (typically custom or in-house)
• Software-as-a-Service (SaaS) – individual applications hosted by a third party, accessed over the Internet via a Web browser, with little or no local code installation (e.g. Salesforce.com, PingConnect)
• Desktop-as-a-Service (DaaS) – entire end-user desktop environments hosted by a third party, accessed over the public Internet, with little or no local code (e.g. Desktone, Doyenz)

What I did not explain, and what a number of people have asked me since, is “Why does EMA use the term ‘Endpoint Virtualization’?”

A number of terms have been used by various analysts, media,  vendors, and users to describe this space. However, I don’t think anyone is looking at or defining the same breadth of the market as EMA and I do. Given the research data that showed these technologies were barely separable in real world use cases, I needed a a single term that covered all of them.

My  first thought (that I used in all the drafts of this report) was ‘end-user-facing virtualization’. While accurate and descriptive, it is too cumbersome to be usable, so I always knew that was going to be replaced.

I also rejected all the other terms I have seen for various reasons:

• Desktop virtualization, application virtualization – both too narrow for the broad space I was researching, with each excluding the other
• Client virtualization – the legacy of ‘client-server’, common usage of ‘client’ to mean ‘customer’, and lack of breadth killed this for me
• Presentation virtualization -  only describes remote delivery, so excludes local virtualization, SaaS, browser apps, etc.
• User virtualization – does not work for me at all, because I think of users as people, not technologies
• Workspace virtualization – too specific to desktop virtualization, plus a ‘workspace’ is anything from a cubicle to a bench with a drill-press

What’s more, the end user experience is more than just desktops and laptops. VMware CTO Stephen Herrod spoke at VM Forum Sydney (my home town) about VMware on Android, and VMware desktop CTO Scott Davis has been talking Android on his blog too. Similarly, Citrix’s CEO Mark Templeton demonstrated Citrix Receiver for iPhone as far back as May 2009**.

So I looked at the term ‘endpoint’, a term used commonly in IT management, and by many different vendors, in phrases such as in ‘endpoint management’, ‘endpoint security’, ‘endpoint encryption’, ‘data endpoint’, ‘endpoint provisioning’, etc. By most definitions, ‘endpoint’ accommodates all the ways the computing experiences can be made available to, and used by, an end user – including PCs, Macs, desktops, laptops, & mobile devices; centralized or Internet-based delivery mechanisms as well as local implementations; full desktop operating systemsor just individual applications; and both online or offline use cases.

Thus, I settled on ‘Endpoint Virtualization’ as EMA’s standard term for these various technologies.

Will it hold up over time? Will an irresistible groundswell form behind some other term that will force me to change? It is hard to tell, and I am certainly interested in your opinions. For now though, I think this is the best possible term, and will continue to use it throughout my writings and presentations with EMA.

Andi.

** Off-topic – what is it with vendor C-level elites targeting edge platforms like Android and iPhone? Seems to me it would be more useful if they targeted the enterprise-friendly mobile platforms that more real business users work on – like Blackberry or Windows Mobile. But that is a rant for another time

For example:

• Virtual appliances add an unknown operating system to the environment. It is typically a slimmed-down Linux distro, but you rarely know – it could be DR-DOS 6.2 or a pirate copy of Windows ME. This breaks any software SOE, ignoring top level decisions on OS stability, reliability, longevity, security, etc.
• Administrators have virtually no control over virtual appliance management. Management functions are required for any software, but virtual appliances rely entirely on a middle-man for proper OS, middleware, application, and database patches & upgrades, malware detection, performance monitoring, problem analysis, etc.
• Even when ad hoc management is possible, it is almost always manual. You can’t put agents on most virtual appliances, they don’t come with WMI, and most have only a GUI for management. So you cannot use standard tools or automation, which wastes admins’ time, risks audit non-compliance, and invites human error.
• Security is a particular concern. Timeliness of patches, effectiveness of hardening processes, zero-day threat response, malware protection, and so on are all at the whim of the vendor, and rarely disclosed to the customer.
• You pretty much have to pay maintenance. If you don’t, chances are you simply cannot keep a virtual appliance up-to-date yourself.

Of course, many of the same criticisms can be slated against physical appliances. I have even talked with one enterprise that will not deploy even physical management appliances because they would break the company’s hardware SOE (even though network devices, storage systems, and other ‘boxes’ are often just purpose-built appliances). However, with just an Ethernet cable connecting them to the enterprise, and a generally slimmer system profile, they seem to pose a lesser risk. They are also much simpler than virtual appliances, which add (in many cases unnecessarily) a layer of complexity and abstraction that physical appliances do not, by virtue of being encapsulated within a virtual machine. Moreover, the resources and effort to build a ‘real’ appliance is far greater than just slapping some software into a virtual machine, so physical appliance vendors seem somehow more committed, more reliable.

Is this distinction fair? Possibly not. But regardless of my own concerns, my research has shown that virtual appliances are the least-preferred of any form factor for management software, with physical appliances, niche software, and even software suites more preferred. Really, when the dreaded ‘framework’ is more popular than you, perhaps you really are an ugly duckling.

Which is not to say that virtual appliances are pointless. They are easy to implement, provide fast time-to-value, and are especially good for trials and POCs. They require little or no tuning, and the OS environment is often a bare bones install which is fast and efficient. Unlike physical appliances, they are easily scalable, and highly mobile. They can be deployed in seconds (maybe minutes) even to far-flung locations in regional offices with zero travel time and cost. And they allow even a sysop to deploy a new management server without getting the network, storage, security, or server teams involved. All of these are powerful factors in their favour.

I am also seeing, despite their potential issues, that several vendors are being very successful selling virtual appliances. KACE, for example, told me today that 26% of their total sales in Q3′09 have been of their virtual appliance, the V-KBOX; VKernel provide all their software in virtual appliance formats, and their Q3′09 sales were 205% up on Q3′08; Citrix is finding a remarkable early demand for their Netscaler VPX virtual appliance.  Meanwhile, IBM, Symantec, up.time, Reflex, SourceFire, and several others are agressively in or entering the market for management systems delivered as virtual appliances.

I also think that virtual appliances have a bright future – but in some ways I continue to see them as a beta version of what could (or should) come next.  By adding in capabilities for responsible and accountable management, they could form the basis of more fully-functional virtual service management containers. These in turn could form the basis of elastic, mobile, network-deployed, responsible cloud appliances that deliver complete end-to-end service management without regard to physical location or domain of control.

A couple of vendors are clearly headed this way, but even without this level of sophistication and maturity,  it certainly seems like vendors and buyers are increasingly embracing virtual appliances, despite their many potential flaws.

Perhaps I should too?

Andi.