The Goby and the Shrimp
What if virtualization makes security more effective and eficient?
What if virtualization actually reduces the cost of security?
The relationship between virtualization and security is indeed symbiotic. It reminds me of the endearing mutualism between the goby fish and the pistol shrimp.
Virtualization (of server, desktop, storage or network) improves resource utilization while offering unprecedented flexibility in deploying and managing IT infrastructure. Such flexibility and mobility of IT resources would not be acceptable without security controls that enable organizations to virtualize their infrastructure and yet retain control over their information assets. On the other hand, security applications, like other applications, benefit vastly from the scalability and control offered by virtualization technologies.
Given the state of the global economy, this symbiosis is more relevant than ever. Shrinking IT budgets, reduced workforces and the drive toward energy-efficient computing have compelled organizations to pursue virtualization more aggressively. Security technologies are enabling organizations to embrace virtualization with confidence. Security departments, on the other hand, are under greater pressure to deliver more cost-effective security in an increasingly regulated business environment. The virtualization layer provides an excellent opportunity to build security into the infrastructure cost-effectively (for example, by minimizing the need to integrate with multiple operating systems or to deploy hardware appliances on the network).
I have an example from the past and the present that I’d like to share. A decade ago, the emergence of virtual LANs and the 802.1Q tagging standard enabled complex corporate networks with hundreds of network devices to be virtualized and collapsed into a few massively scalable switches. Vendors snatched this opportunity to develop firewalls that doubled as layer three switches or vice versa. As a result, IP security became integral to the network backplane and near wirespeed firewalling became the norm rather than the exception. The cost of security fell just as it became more effective.
Today, server virtualization is creating a similar opportunity. VMware’s VMsafe technology offers deep inspection of virtual machine CPU, memory, network and storage. Security vendors are taking advantage of this capability to not only secure VMware virtualization but also to virtualize their security applications and deeply embed them into the virtualization platform. As a result, monolithic security appliances are turning into virtual appliances and becoming one with the virtual infrastructure. An example of this is the proof of concept integration between RSA Data Loss Prevention (RSA DLP) and VMware vShield Zones that was announced at the RSA Conference 2009 this week. The concept is that RSA DLP would run as a virtual machine on VMware ESX servers and would work in concert with VMsafe technology to inspect virtual network data flow from VMware virtual machines. As a result, data loss would be detected and plugged closer to the source (at the server rather than a network choke point) and the need for deploying and maintaining dedicated network appliances for data loss prevention would be minimized.
Co-deployment of security applications with virtualization infrastructure provides mutual benefits and enables the delivery of a whole greater than its parts. Like all other things in IT, we should always separate hype from reality but in this case, the writing is on the wall and the evidence from the past and present is clear. Security and virtualization are meant for each other, much like the goby and the shrimp.
