But what are virtual appliances and what can they bring to your enterprise? In this column, we'll discuss the benefits these appliances bring, but more importantly, we'll delve into the even greater risks they bring.
VMware coined the term "virtual appliance," using it to refer a self-contained virtual machine that is powered by a tailored operating system (usually Linux) and which has a pre-configured application on top.
Customers purchase and download the virtual machine, power it on, provide a few configuration details and reach operational status in minutes. Virtual appliances make this process even easier than traditional appliances, which are common in IT security for firewall, IDS/IPS or antivirus uses.
After spreading the virtual appliances concept to worldwide IT communities in the first quarter of 2006 with a munificent competition called the Ultimate Virtual Appliances Challenge, VMware continued to push the concept during its annual conference: VMworld 2006.
In front of almost 7,000 attendees at VMworld 2006 in October, VMware's top management spent several sessions endorsing the virtual appliances approach and launched a marketplace, in which customers could buy pre-configured virtual machines from several partner ISVs (independent software vendors), and a certification program.
Microsoft has actually cut away from this emerging market because of the current Windows licensing terms, which prevent
Microsoft's move is still far from a redistribution point like the VMware Virtual Appliances Marketplace, but Microsoft already stated that its program would involve several partners before the end of the year, with a further extension to desktop solutions in early 2007.
With the two most important virtualization players moving in the same direction, customers might start to see virtual appliances as a good solution. Yet despite the moves of VMware and Microsoft, virtual appliances are not necessarily the best approach for all companies and may even carry more risks than evident benefits.
Benefits of virtual appliances
Obviously virtual appliances can provide some notable benefits to both small and large companies.
As is the case with physical appliances, virtual appliance customers need not worry much about securing the operating system, nor must they perform continuous adjustments to reach optimal performances.
The whole software stack in a virtual appliance is hardened and optimized by the provider, and if anything must be updated, customers receive a brand new virtual machine image to replace the old one in minutes. These characteristics allow companies to invest their money in training and maintenance time for the application only rather than for the underlying operating system.
The already low total cost of ownership of a traditional appliance is even lower when we go virtual. Virtual hardware costs nothing, allowing considerable money savings for vendors building appliances and for customers that purchase them.
Virtual hardware also completely knocks down obsolescence time, allowing customers to upgrade a purchased solution at any time depending on company needs, just by allocating more physical resources to the virtual appliance.
Last but not least, virtual machines run almost everywhere and in a self-contained status, without caring which hardware and software is used as the corporate standard. This further reduces deployment times.
Considering all these aspects together, virtual appliances give companies the chance to choose the applications they need without caring which operating systems they are written for or which hardware requirements have to be satisfied.
Risks of virtual appliances
Given the notable benefits, it's hard to believe that virtual appliances might be dangerous, but unfortunately, there are some serious downsides to consider.
The very first doubt about virtual appliances is on the robustness of their security. Although virtual appliances provide a fast way to replace the whole operating system image, they don't really remove the need for patching. Even if the internal operating system (OS) is greatly hardened, the remaining components still suffer security issues and have to be replaced.
And the virtual appliances concept implies that customers lack full control of the environment, so patching is up to someone else. Who?
Three kinds of companies handle assured patching: Smaller ISVs start-ups, bigger vendors or virtual appliances producers.
In the first case, the risks are enormous and customers must understand that although the virtual appliances market is similar to the physical appliance market, the two are not identical. Developing a physical appliance is a huge investment that cannot be compared to assembling a virtual machine with a tailored OS and a pre-configured application on top.
A young ISV may have few resources to develop a customized operating system for its own application, perform tons of QA tests and keep the image updated when a new software patch is released. The most likely path would be to offer a virtual appliance with a default OS installation, which is easier to test and to patch when needed. But a default installation means a lot of unneeded services, which translates into a higher security risk.
On the other hand, if the ISV decides to harden its environment, it may lack the experience to reach a reliable and mature solution. But today, popular projects like rBuilder make this task very easy, and anybody proficient enough with Linux should be able to offer a slim virtual appliance.
In the case of bigger and more popular (thus considered reliable) vendors, we face different but equal problems. Even firms like Oracle are unable to offer a reliable security development life cycle for their own applications. They spend millions improving the quality of code design and auditing, and then they still have to handle patching tens of vulnerabilities per month.
Securing an operating system is an even bigger and economically exhausting challenge than securing applications (ask Microsoft). It's highly improbable that all major vendors will develop a new Linux distribution for their virtual appliances. Choosing the existing Linux distribution with the most reliable support, the smallest number of past vulnerabilities and the fastest release time for patches will be the obvious choice for cost reduction.
But even this way you have to wait for a new patch, implement it inside the virtual appliance, verify reliability of your applications inside the updated environment, re-submit the solution to VMware for certification purposes, and finally distribute the virtual machine to customers.
This process is too long to assure customers a fast answer to new vulnerabilities, and even an auto-updating feature would only partially reduce patch deployment times.
In other words, customers adopting virtual appliances in order to improve environment security may suffer a longer exposure time and reduce their ability to react to new threats.
The third case is the worst one: Buying a virtual appliance from a third-party provider. These companies, which will rise as mushrooms along with the virtual appliances bubble, simply take a standard operating system and a standard application, merge them together inside a virtual machine, then apply some degree of hardening and optimization.
These modifications are not officially supported, not by the OS distributor and not by the application vendor. Customers simply trust someone who proposes a configuration, just like they already do when paying a system integrator to perform a product installation.
But in this case the virtual consultant, offering its personal virtual appliance, is not providing an extended documentation about the configuration process. If something happens, the virtual machine really becomes a black box that nobody can maintain anymore.
Security is not the only concern about virtual appliances. The features that make them so desirable are the same that make them so inadequate in many enterprise environments. It's a common understanding that any enterprise application of average complexity will not meet performance requirements with its default configuration. Sometimes the fine-tuning process is so long and dainty that vendors send one or two specialists onsite to tweak until the application performs as expected.
This doesn't depend on configuration complexity, something virtual appliances mitigate well, but on the inherent process of customization that any big company requires.
With virtual appliances, approach is anything but flexible from this point of view. Adopting them when heavy modifications are needed may translate into capping your own applications.
The strategy behind
Although VMware has some interests in pushing its virtual appliances to indirectly increase its virtualization products sales, the company is using them primarily to counteract a different threat: the endless Microsoft slavery imposed by ubiquitous Windows adoption.
At the moment, the majority of virtualized environments are Windows, and Microsoft is relatively friendly to third-party virtualization platforms, allowing its OS to run inside any virtual machine. It's safe to say the VMware fortune mainly depends on Microsoft.
But things may change anytime. For example, Microsoft may decide to completely change its licensing strategy and permit Windows to run virtual-only for customers adopting its upcoming Windows Server Virtualization hypervisor, formerly codename Viridian. Or if this violates anti-trust laws, the company may allow just one copy of Windows inside any third-party virtualization product but allow unlimited copies only inside its own hypervisor.
In those cases, no price cuts could help VMware selling its solutions anymore.
By pushing the idea of a whole virtual appliance that is easy to use and flexible, the company hopes customers will stop preferring Windows for its fast learning curve and flexibility, mitigating the loss of new sales if Microsoft would change its mind about licensing.
Virtual appliances are an interesting approach that may help in some limited environments. But they don't solve critical problems like patching; they simply shift security responsibilities from customers to ISVs, which doesn't mean improvements.
Those who are interested in these appliances should wait at least one year, evaluating how well vendors handle pressure coming from the endless flooding of security vulnerabilities that affect Linux, like any other OS.
After a year, it should become clear which companies among the new start-ups, consolidated vendors and third-party virtual appliance developers will be able to sustain their own offerings.