Given the number of VMware-related password management tools that have debuted over the past few weeks, it seems that security concerns have started to weigh heavily in large virtualization shops.
First, VMware announced a deal with Likewise Software to OEM its Likewise Identity Service Active Directory bridge software for upcoming versions of VMware ESX and ESXi. The move will enable authentication of individual VMware ESX and ESXi hosts to become full-fledged members of Active Directory domains, eliminating some of the hoops that administrators must jump through to manage authentication of their VMware hosts.
Then virtualization security vendors HyTrust and Reflex Systems announced root password-vaulting features for their resepctive HyTrust Appliance 2.0 and Reflex vTrust. These features provide temporary root password access to users without divulging the password itself. The service also audits and logs all action taken on a system during the time that temporary passwords have been granted, which aids regulatory compliance.
Password management choices
But the question of which password management scheme organizations should choose is still up in the air.
On the one hand, Active Directory (AD) is pervasive in enterprises, and extending it to manage VMware passwords will minimize an area where Microsoft Hyper-V has historically had an advantage over VMware, said Steve Jones, a managing consultant at the federal division of INX, a Houston-based integrator.
"Whereas Microsoft servers could make use of the plethora of management capabilities enabled by AD (e.g, Group Policy objects), VMware had to rely on their own homegrown tools. Not that these tools are bad; they are just different. This also means that standalone ESX servers can now fully participate in the AD authentication model -- and be treated as AD objects and managed as such," Jones wrote in an email.
But the Group Policy functionality in Active Directory is "pretty crude," not linked with vCenter, and "not something that people would deploy on a large scale," said Eric Chiu, HyTrust's president and CEO.
"Active Directory covers half the problem; it doesn't provide policy management, just authentication," Chiu said.
Israel Lawson, the director of IT for medical transcription firm MedQuist, looks forward to implementing the new Reflex vTrust password vaulting feature. In small firms with only a couple of administrators, keeping track of the root password manually is no big deal, but in big firms, literally hundreds of administrators might need access to root. That can become a management nightmare if and when one of those administrators leaves the company, he said.
Security is top of mind
The sudden interest in password vaulting by enterprise customers came as something of a surprise, admitted Mike Wronski, Reflex Systems' vice president of product management. In retrospect, it probably shouldn't have for two reasons: First, increasingly more and more shops now use ESXi, VMware's console-free hypervisor. Second, virtualization has become more pervasive, even for production, regulated applications.
"There are a bunch of companies that do password vaulting generically for Linux," Wronski said. Their offerings are often used within ESX's Red Hat-like service console. Examples include vendors such as Cyber-Ark Software and BeyondTrust. But none of them work with ESXi, Wronski added.
At a higher level, interest in password vaulting signals a maturation of virtualization in the enterprise. Large enterprises are virtualizing their systems in greater numbers, and they're begun to give more thought to management and security even after the fact.
"The maturity curve is really starting to catch up," Wronski observed. "Virtualization is moving beyond consolidation, and now shops are actively managing this thing and they're finding these [security] problems".