« Should Companies Ban Web 2.0? | Main | Security is a Feature (and an Important One) »

Listen to or download the 11:32 minute podcast below:

Download file

What follows is a transcript of my podcast with Dennis Moreau, the Founder and Chief Technology Officer for Configuresoft. Dennis Moreau has a long history of applying cutting edge technologies to help solve complex problems in IT. And the cutting edge technology we're going to cover today is virtualization.

Can you give me an overview of virtualization and how it can help a company with security?

Virtualization is basically the idea of hiding the details associated with IT assets in order to provide logical, rather than physical, assets. The interesting thing is about this is that it allows a single server to provide multiple virtual servers, if you will, also known as guests. It allows a storage area network to provide multiple virtual file systems to clients. It allows a single application server to host multiple different clients' usage of the same application.

In all of those circumstances, virtualization is driven by a number of compelling economic considerations: they are that consolidated multiple, underutilized servers into one shared server allows for better utilization. It's the idea that we result in reduced power consumption, reduced air conditioning costs, and reduced floor space per unit of computing power. So instead of having lots of iron parts, all underutilized, by consolidating, I get better utilization of that same hardware, same delivery of computing power, but with less iron under the covers, if that makes sense.

What we wind up getting in that circumstance also is a very much easier provisioning of those virtualized assets. If I need a new server, I can spin it up on that shared piece of iron. An interesting way of making the IT infrastructure more agile, more responsive, and lots of compelling benefit there. On the security side of the fence, there are some definite pluses. They are, for instance, that virtualization allows a reduced diversity. If I have fewer permutations of IT platforms to manage, I can pay more attention to keeping those guys managed securely. I can keep them more compliant. I have less patching work to do. Very, very interesting.

I also get a degree of sandboxing. The various virtual guests are insulated from each other in terms of their configurations in some very interesting ways. And, of course, I certainly get improvement in availability and business continuity, which are also key aspects of security. So there are some definite virtualization security pluses to adopting this technology in a very deep sense. Note, though, that virtualization happens at the server level; At the application level; Even the browser level, and down at the storage level on an ongoing basis, and it is that very basis that also complicates demonstrating that I've done due care, that I've got compliance in the environment.

Say a company runs Configuresoft's virtualization on their systems. What problems or vulnerabilities does it typically reveal about a company's security?

Configuresoft focuses on that big enterprise view. So the idea that I've got a virtual server farm sitting there, and I've got guests on top of it, and that for those guests to move across that server form, I've also got virtualized storage under the cover, and as well I may be virtualizing the application to reduce the amount of configuration control that I have to pay attention to to make provisioning easier.

Well, in doing that, I've injected more technology into the application stack, if you will. I no longer have just a piece of iron and application sitting on top of it. I now have intervening layers of virtualization that I have to manage. Configuresoft concentrates on connecting the dots between the, for instance, security postures of each of the guests and where they share assets. Because a compromised guest sharing a resource under the covers represents a potential denial-of-service attack against even perfectly provisioned, perfectly sandboxed, other guests.

Let me give you the simplest analogy: if I have two boxes, one of them having sensitive data tightly secured, and another one, no sensitive data, completely weakly secured because it has nothing sensitive to protect, let them share the same network segment and all of a sudden, a compromise of that weakly secured guest allows a denial-of-service attack, packet storms, even attempted compromises against the other, perfectly secured asset on the exact same network.

The idea is very much the same. Virtualization encourages sharing of underlying assets so it creates a coupling of security postures. Configuresoft allows you to get inside into the security posture of a guest and all other co-hosted guests on that same server platform, whether the sharing occurs at the server virtualization level, or other sharing levels across the virtualized infrastructure.

So what are some of the other pitfalls of virtualization?

Well, virtualization by its very nature, that normalized view it gives you of the underlying hardware, hiding the idiosyncratic details also hides a degree of inter-asset dependency. For instance, two guests on a virtualized server form communicate over a virtual switch. That is, one guest talking to the other. The packets going over a virtual switch may never hit the outside network. So my intrusive detection and my intrusion prevention systems that are network-based, will never see the traffic.

One guest attacking another doesn't trip my intrusion prevention and intrusion detection assets. So some of my layered defenses have less visibility into how two assets are relating to each other so I've got to do other things to do something about it. Those other things include making sure that the virtual switch has virtual instrumentation that allows me to see mal traffic going between two systems. And, of course, mal traffic is always characterized by white lists, black lists or heuristics. So I have to make sure the instrumentation is in place and those checklists, those things that let me identify mal traffic are indeed up to date. Very similar to what we do in making sure our antivirus lists, our antispyware, our anti-spam lists are up to date...the signature files if that makes sense.

So what happens is I've got more configuration stuff to pay attention to. This makes an environment, because of the hiding of details, harder to audit. It's great to have an environment where I've got mechanisms that make things perfectly secure. But frankly, the auditor needs me to prove that they're secure. I've got to be able to demonstrate that all the settings and all the layers of the environment are indeed consistent with my policy, with external best practices, with authoritative guidance, proving that in a virtualized environment, because of the layers of detail-hiding, because of the dynamics that let me respond to changing business needs, is more complex then it would be if all I had was applications sitting on their dedicated piece of iron and all I had to do was run an assessment on each of the pieces of the asset that are in the environment.

So the dynamics, the degree to which I hid the underlying details, complicate proving that, that is demonstrating compliance, demonstrate due care in virtualized environments. Does that make sense?

Many companies are having a difficulty time with encryption and data security. How does virtualization help with that?

Virtualization allows you to be able to have a much more flexible, as we've suggested, provisioning capability. So, I want to be able to encrypt those potentially sensitive pieces of data and I don't want to encrypt those things that I don't have to. And the reason is because, of course, the degree of impact on performance and the degree of complication of things like key management for the underlying assets. With virtualization, I get the ability to target encryption at the places where I have patient-identifiable information, client identification and personal identification information like Social Security numbers. Financial information.

I can, with virtualization, target the footprint of those sensitive pieces of information and aim my encryption capability in the right place at the right time, but more than that, it's more agile. So where I need to change things, where I consolidate, where I have growth, where I need to expand my provisioning and align things, I've got the ability to do that with virtualization in a far less complicated way than if what I did was instead slap an encryption mechanism between one drive and another then had to figure out how to map my application into that environment.

Or, the alternative, turn on full disc encryption on everything! Which, of course, has performance and availability impact on the environment as well as security in the environment. So the virtualization allows me to target that capability, to control it and with the right kinds of management insight, with the ability to look through the virtualization layers to connect the dots, and also gives me the ability to audit that effectively.

What do you see for the future of virtualization? I guess, more specifically, do you see virtualization as some sort of technological end point, or do you see virtualization evolving into something else?

Well, if you look at virtualization product space today, you see virtualization supporting the hardware layer, sort of virtualizing iron, if you will. You also see virtual servers, the SX kind of environments, the [Zen] environments, the Microsoft virtualization servers. You see separately, virtualized storage, virtualized networks, virtualized application environments, virtualized browsers. Note that the menu of things that end users have to cobble together themselves and manage completely independently, with the complexity that we've identified, wind up creating something of a need that needs to be addressed. I believe virtualization as we know it today is not the end point, that what you really want, of course, is that more holistic view of virtualization that recognizes: I do server virtualization and storage virtualization together, so that when I move a guest from one place to another, it's got its file system available to it.

In order to do that, I need virtualization to become more unified. I need to recognize that it's a virtualization application stack, not a server virtualization separate from storage virtualization, separate from application virtualization. So there are two points here: the unification of virtualization is the next step and improvement in how I deal with provisioning a service rather than provisioning each layer of virtualization technology independently. More than that, the manageability of those layers, including the ability to demonstrate forensic compliance across that stack, are absolutely essential next steps that I believe represent the next step in virtualization.

So I don't believe we're at the end point now. I believe we're at the starting point. And that we're going to see a lot of both innovation and evolution in the manageability and the coordination of virtualization so that it's viewed more as a utility for hosting services about which we know a lot in terms of governance, in terms of risk acceptance, and in terms of being able to have a big picture view of how to connect the dots across the layers so that I can do root-cause analysis and a demonstration of configuration compliance at each layer of virtualization but more importantly, across all of them to represent a business-plausible, virtualization stack that lets me control my IT assets.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2378