Virtualization Strategies for the CIO
sHype, a product of IBM Research, places a secure access layer around the hypervisor running on a physical machine, thereby locking down the virtual machines (VMs) or guest operating systems (OSes) running on top of it.
With sHype, said Kevin Leahy, IBM director of virtualization, administrators can set a policy for a machine once and be certain that it will extend to all the other resources running on that machine.
"sHype presents the notion of putting a wrapper around the hypervisor and establishing mandatory access controls that can't be bypassed," Leahy said.
Today, applications running in a virtual machine on an x86-based virtualization host must be secured individually, using traditional security mechanisms such as firewalls – a tedious and error-prone process. With a technology such as sHype, securing all the machines on a physical host is as simple as securing the underlying hypervisor.
The policies set for the hypervisor establish "what is or isn't trusted, and who does or doesn't have access to a resource," Leahy said.
Scott Crawford, senior analyst at Enterprise Management Associates in Boulder, Colo., provided this analogy:
"Let's say you travel a lot. This is like making it possible to use the same key you use to open your house to open your hotel room," he said.
Technologically, sHype
Requires Free Membership to View
is interesting, said Crawford, because it solves a difficult problem – extending the hardware-centric concept of a trusted computing platform into the hardware-agnostic realm of virtualization.
For now, sHype is available on for the Xen virtualization platform. But since IBM has open-sourced elements of sHype, it is conceivable that other hypervisors like VMware ESX and the forthcoming Microsoft Viridian hypervisor could also implement sHype-style security.
"That's certainly our hope," said Leahy, although, thus far, "we have no commitments on the part of those folks."
Let us know what you think about the story; e-mail: Alex Barrett, News Director
Join the conversationComment
Share
Comments
Results
Contribute to the conversation