Partnerships are Key in Virtualization Security

Security and virtualization vendors said helping hands can make for more secure virtual environments. 

While the world waits for the first major hypervisor exploit, vendors are doing their best to build technological defenses for virtual environments. However, developing that technology may lie with the ability and willingness of vendors to work together, officials at numerous companies said.

In February, VMware announced its VMsafe initiative, the first of what company officials said would be a number of security plays in the coming months. Twenty security companies agreed to use the virtualization vendor's APIs to build a new class of open, interoperable and cross-platform innovations for virtual machines.

The VMsafe APIs integrate into the VMware hypervisor and provide transparency into the memory, CPU, disk and I/O systems of the virtual machine, giving security companies a leg up in preventing attacks.

Among the companies involved in the initiative is Apani, which provides cross-platform server isolation products for enterprise organizations.

"I think they are critical, in the same way that five years ago, if you wanted to put on an application, you really had to work closely with Microsoft ... because they have the platform," said Ryan Malone, vice president of marketing at Apani. "I think that with any of the virtualization providers, you want to work closely with them to make sure that you can take advantage of the special tricks that they offer to their customers."

Officials at VMware-rival Citrix Systems said they agreed that partnerships between security vendors and virtualization tool providers are the way to go-as long as everyone is on the same page. The objective is to work together with security vendors and allow them to do their jobs across all virtualization platforms, said Simon Crosby, chief technology officer of the Virtualization and Management Division at Citrix.

"I would like VMware to invite [Citrix] and Microsoft to that forum ... so that there's a common set of APIs [that security vendors] can use to inspect against traffic, inspect against memory and evoke security policy," Crosby said. "I think that's an important thing to do. I don't see any point in trying to force vendors to retool for a different hypervisor."

The interest in virtualization has caught the eye of a number of security-focused companies, from familiar names such as Cenzic and EMC's RSA security division to startups such as Altor Networks, which publicly launched March 17 and released its Virtual Network Security Analyzer.

Still, analysts at Gartner warned last year that companies are overlooking security issues in a rush to adopt virtualization for server consolidation efforts, and technologies for addressing some of the security issues with virtualization are immature or nonexistent. As a result, analysts predicted 60 percent of production VMs will be less secure than their physical counterparts through 2009.

Some security pros caution that organizations move carefully when deploying virtualized environments, and warn that virtualization increases complexity and the attack surface. But complexity is an unavoidable fact of life in IT, said Charles King, an analyst with Pund-IT.

"Virtualization can help businesses reduce certain kinds of complexity-say through server [or] datacenter consolidation-but by their natures, new technologies introduce certain kinds of new complexity," King said. "The most important thing for organizations to do regarding virtualization is to do their homework, understand the changes they're considering, and proceed with their eyes wide open."