The recent billion-dollar bailouts place financial institutions under greater scrutiny than ever, which can mean...
additional stress for IT shops. These departments are charged with managing an infrastructure comprising physical and virtual machines (VMs) and, more recently, internal and external clouds. The ease of deploying, copying and moving virtual machines within an infrastructure can cause administrators unknowingly to leak sensitive information and compromise government enforced compliance regulations, resulting in otherwise-avoidable fines.
VMware's plans to release vShield Zones later this year gave further credence to this pressing issue: how to successfully secure increasingly migrant virtual machines.
Virtualization security is currently composed of three areas: configuration management, network security and virtualization host hardening, according to Edward Haletky, the owner of Wrentham, Mass.-based AstroArch Consulting Inc.
"If you have all three of those, or even one of those, you're a step above everybody else," Haletky said. "At the very least, a business should follow hardening guidelines and have virtualization-aware network security in place. But that's not complete virtualization security, and it's not sufficient from my perspective. If you're going to secure a virtual machine, you need to secure anything that directly or indirectly touches a virtualization host," he emphasized.
Traditional auditing techniques don't encompass virtualization
One Florida-based bank that wishes to remain anonymous tried to achieve and maintain financial security compliance by using multiple third-party auditors every six months at a cost of about $20,000 per year, according to Ray Guzman of Gits Group, a Miami.-based IT services business that specializes in security, risk management, compliance and strategic planning. Each auditor analyzed a separate part of the bank's infrastructure. But none of the auditors could monitor or audit a virtual environment, said Guzman, and the bank uses VMware to virtualize the majority of its 30 on-site servers.
Since Guzman knew the bank sought a product that could keep its virtual machines and overall architecture secure and compliant with various regulations, he pointed the bank to the Scotts Valley, Calif.-based Security as a Service company Catbird. "Catbird allows for continuous monitoring of both the physical and virtual architecture," said Guzman. "The most obvious benefit is that you don't have to wait six months to answer a particular question about a problem, which is very important with a virtual environment."
Guzman recommended Catbird because it is the only company with which he's familiar that offers security for a physical and a virtual infrastructure and in the price range of Catbird's offering. Other vendors, he said, wanted more money for less functionality.VMShield 2.0
Catbird recently released VMShield 2.0, which adds three components to its V-Security virtualization security product suite. VMShield 2.0 can now track virtual machines, virtual machine states, and virtual machine data as virtual machines move among clouds, clusters and different host machines.
VMShield's three new components are V-Tracker, Virtual Infrastructure Security Engine (VISE) and TrustZones.V-Tracker tracks the virtual machine's location within a cluster while it's moved from host to host and when it moves into and out of an internal or external cloud. It also tracks the virtual machine's state changes and the virtual machine's data.
When an administrator uses VMotion to move a VM from one host to another, a virtual machine keeps its IP, MAC address and VMware-assigned universally unique identifier, explained Catbird Chief Technology Officer Michael Burman, so it's relatively easy to track virtual machine changes that happen if a VM is moved via VMotion.
"What's harder is tracking the data on the machine if the VM is cloned or copied at the file system layer. When that happens, any of those parameters could be altered maliciously, especially if your VM is moving across clouds or different platforms," Burman said, which is what V-Tracker monitors and prevents.
VISE ensures that a VM does only what it's allowed to do in terms of network communication by matching a VM with a preset security policy, according to Burman. VISE tracks thousands of network events, watches for port openings, offers intrusion detection and monitors for suspicious activity. It then correlates the network activity with any virtual machine state changes to detect malicious or unwanted activity.
TrustZones aligns physical network segmentation policies with activity on the virtual network, keeping demilitarized zone (DMZ) virtual machines within a DMZ by preventing admins from copying or moving a VM to a host outside a DMZ. An administrator needs to track not only VMs but also the data classification attributes of VMs. It's these kinds of parameters that TrustZones and VMShield 2.0 monitor and prevent, explained Burman.
Since it purchased V-Security, the Florida bank has begun remediating several vulnerabilities tracked and listed by databases such as the United States Computer Emergency Readiness Team (CERT) identified by V-Security, said Guzman. None of these vulnerabilities were mentioned by the bank's previous collection of third-party auditors.Securing VMs in an external cloud
Recently, drug company Eli Lilly and Co. had the misfortune to discover that there is no way to certify that data has been permanently removed from a cloud; and it's clear that security concerns still hamper cloud computing adoption. Catbird now touts V-Security as being able to secure VMs placed in a cloud – public or private – due to the updates that come with VShield 2.0. It does not have any customers it can name publically that are doing this yet.
Canadian security vendor Third Brigade Inc. also offers a cloud computing security product for virtual machines, VM Protection. VM Protection can be deployed in a public or private cloud, integrates with VMware vCenter, and will detect, but not block, intrusions on up to 100 virtual machines under the free license (blocking intrusion attempts requires a full license).
But securing VMs in an internal cloud versus securing VMs in an external cloud such as Amazon Elastic Compute Cloud (EC2) are two separate ball games, Haletky said.
"It's one thing if you own the cloud," he said. "The problem with security in an external cloud like Amazon EC2 is that you don't own the stack, so there's no way you can completely secure it. You are dependent upon their security measures, which you may not know."
Bill McGee, the vice president of products and technology for Third Brigade, dissented – somewhat.
"We would acknowledge that there are still dependencies that you have on Amazon EC2 or GoGrid in terms of "good security hygiene" with respect to their environment," McGee said. "Our technology can't be used to direct where that VM might be stored or how it's stored. But once a VM is live, we do have the ability to install our agent, and you do have control in the OS stack on that VM in order to apply our technology [within the cloud]."
Still, Third Brigade's technology can't protect a VM if it's placed on a cloud such as Google App Engine or Microsoft Azure where the framework disallows OS-level software installation, McGee said.
VM security moves into the mainstream
While the jury's still out on the functionality vShield Zones will offer at product launch, which is slated for 2009, the press release indicates that the offering from VMware's Blue Lane Technologies acquisition will increase visibility and control over what happens to virtual machines as they pass from host to host. But the virtualization leader's foray into virtualization security suggests that VM security technologies have entered the market for good.
Burman's virtual machine data leak examples also suggest that virtual machine security has become a bigger reality.
"We've worked with a few companies that have had significant data breaches involving virtual machines, including ATM numbers with PIN numbers and credit card transactions," Burman said. He declined to name the companies in question.
When it comes to selecting a virtualization security solution, however, there's no obvious answer. A good process is required regardless of the chosen tool. One part of the process is change management, which involves using configuration management tools such as Tripwire Enterprise and Configuresoft's Enterprise Configuration Manager to set checks and balances up front. The other part is mitigating attacks and errors with solutions like Catbird V-Security and Reflex Systems' Virtualization Management Center to catch and prevent errors as they occur, explained Haletky. "The question often is: where do you want to spend money on security?"
Catbird's security suite sells for $3,250 per physical host with unlimited agents and an additional 20% for maintenance and support per year with no charge for the central console if hosted by Catbird, or $20,000 if a company desires to have the central console on-site. Catbird offers Compliance Enforcer for free, and has a starter package that includes an on-site console, five servers and unlimited agents for under $10,000.VM Protection is part of Third Brigade's Deep Security 6 product. List price for Deep Security Manager is $25,000. Deep Security 6 Agents begin at $100 per VM instance, cloud computing instance or physical server for partial functionality or $880 for all Deep Security 6 modules, reduced to $500 per server for 500 servers or more, although $3,000 will buy full protection for an unlimited number of VMs per server.
Hannah Drake is the associate editor for SearchVMware.com. Write to her at firstname.lastname@example.org.