Cloud Security Viewed as Vital, but Effective Solutions Lacking
The problem with this idea is that there's currently no security layer in anybody's hypervisor—whether it's from VMware, Microsoft or anyone else. While the discussion from Casado suggests that VMware may be working on something, that's an assumption that may or may not hold water. The problem is that cloud security is an issue that needs to be dealt with now. Malware is everywhere. It's getting worse on a daily basis, and the people who create malware are getting better at finding ways to insert it into machines, virtual or otherwise. As good an idea as Casado's hypervisor security layer might be, the idea needs to be turned into a reliable product right now. Unfortunately, network vendors don't seem to have products that apply this concept. Ask the switch vendors what to do about malware passing through the network, and you get pointed to appliances, add-on switch software or some other partial solution. One network vendor (I can't say which one because it's under embargo) was excited about a piece of switch software that would look for unsafe URLs, but that's it. It wouldn't do a thing to defend against someone's malware-tainted laptop that got connected to the network after it was infected. The sad truth is that most of the cloud security systems out there are echoes of yesterday when malware came in the form of an easily detected virus and the biggest risk was a disgruntled employee. Of course, those risks still exist, but in the real world, the risk goes far beyond that.Wedge says that they are the first company to provide such a hypervisor-based solution. While this may be the case for now, it seems likely that virtualization providers would be building such a security approach into their products. Microsoft, for example, could decide that an integrated, standards-based security layer could give Hyper-V a competitive edge over arch-rival VMware. One can only hope that security becomes a competitive issue in the world of virtualized systems. If we have learned nothing else from decades of operating system development, it is that security as an afterthought doesn't work. A system needs to be secure from the ground up, and perhaps competition is the best way to deliver that.
Fortunately, some companies are at least working on solutions that resemble what Casado had in mind. Wedge Networks, for example, has introduced a hypervisor-based software solution called NFV-S (network function virtualization–security), which does very much what Casado had in mind, which is to provide a security layer outside the virtualized servers. While I can't talk about the details of some new products Wedge is announcing in the future (because they wouldn't tell me all their secrets for some reason), they are marketing their hypervisor-based solution to cloud providers.