VMware is pushing its vision of virtualization security, which it says will help enterprises overcome their concerns...
about cloud computing.
The Palo Alto, Calif.-based VMware Inc. presented these ideas to the New England Area VMware User Group (NEVMUG) meeting last week. But while attendees said they’re open to the concept of virtualization security, today’s virtual environments face pragmatic hurdles before they can approach the future that VMware promotes.
VMware vShield makes workloads portable
VMware’s vision calls for self-securing, portable apps and is expected to play out over the next few years with the vShield series of virtual security products, said Allwyn Sequeira, vice president of security and networking at VMware.
Currently there are three vShield offerings: The first, vShield Edge, is a virtual firewall with routing capabilities, which can place a software-based “wrapper” around a pool of data center resources. VMware calls this pool a virtual data center. Second, vShield App offers cross-host isolation and container-based rules that place a similar “wrapper” around multi-tiered applications. Third, vShield Endpoint offloads operations such as antivirus scanning from an ESX host to a proxy appliance. All these offerings are based on VMware’s extensions to the Open Virtualization Format (OVF) standard, and can also be modified using RESTful application programming interfaces.
According to Sequeira, VMware intends to use vShield to circumvent the data security concerns that currently form enterprises’ biggest objection to cloud computing. “A whole bunch of networking and security gear needs to be virtualized [along with servers] for [enterprises] to move to the cloud,” he said. “The cloud turns the infrastructure on its head. Instead of putting applications into a secure infrastructure, [we’re saying], ‘Encapsulate security with the application, and move it around anywhere.’”
VMware customers have already deployed applications with vShield security encapsulation, Sequeira said, for example, a “major defense contractor” that currently uses vShield Edge to make workloads portable between two buildings on the same campus. But Sequeira declined to cite specific names or numbers of customers.
Virtualization security easier said than done
Attendees at the NEVMUG said they would investigate vShield products and the concepts discussed by Sequeira, but cited various concerns that, for enterprise-level shops, put virtualized security at least a few years into the future.
Nasim Islam, the IT director at Wilton, Conn.–based insurance company Lamorte Burns & Co. Inc., said licensing costs are a big concern for him when it comes to the vShield products, which are subject to the new per-virtual machine licensing scheme VMware announced alongside vSphere 4.1.
As with some users who kicked the tires on vShield Edge at last year’s VMworld, Islam said he was also concerned about putting too many IT eggs in one VMware-controlled basket. “Putting security devices into software appliances comes with exposure to higher risk than [does] separating physical servers with an ‘air gap,’” he said.
Payment Card Industry Data Security Standards (PCI DSS) are also a concern for Islam’s company. The PCI standards council only recently officially blessed server virtualization itself, and uncertainty remains around more advanced technologies like vShield. “Who’s going to audit this?” Islam wondered. “You can’t just deploy it and assume it’s alright.”
Finally, when it comes to the goal of workload portability between data centers, Islam said he’d like to see more product development around preserving chain of custody for portable workloads, in addition to the intrusion prevention and network segmentation offered with vShield.
Calling trusted vendors
According to one CIO at a government agency who attended the user group meeting, security-encapsulated apps sound promising, but he said he’s also waiting for his security vendors to enter the space before trying out products. “I don’t want to get people trained [on one product] and then have a bigger vendor we already work with come out with an offering,” he said.
Robert Quast, a solutions architect at a systems integrator on the East Coast, also sees his clients waiting for the best-known products from vendors such as Cisco Systems, Symantec and McAfee to be offered virtually. Support for vShield Zones within Cisco’s Nexus 1000V switch, for example, or for vShield Endpoint within Symantec’s antivirus products, Quast said, would give users more confidence in testing vShield. “[Brand] name[s] get people’s attention,” Quast said. “It’s also a matter of practicality. People are waiting for their existing vendors to catch up with VMware across the product base.”
Sequeira said that VMware is working with Symantec and McAfee on virtualized security appliances, and said offerings from those companies, expected to be similar to the vShield Endpoint integration already available from Trend Micro, should be ready by the end of this year.
Nevertheless, VMware’s Sequeira acknowledged it will take users several years to get their arms around virtualization security, as they work through technology, process and cultural issues surrounding virtualization and cloud computing. “There are still lots of warts and lots of issues, but we’re trying to ensure people are given advice about the baby steps to get there,” he said.
Beth Pariseau is a senior news writer for SearchServerVirtualization.com. Write to her at firstname.lastname@example.org.