Securing virtual machines in the cloud

Share this post:

As adoption of cloud increases, a number of new security challenges are introduced, such as:

  • Where is the infrastructure located?
  • Where is it stored?
  • Who backs it up?
  • Who has access?
  • How do auditors observe?

In today’s dynamic environment, new thinking is required especially because the infrastructure is more abstract and less defined, everything needs a web interface, agents and heavy clients are not acceptable, and traditional defences no longer apply.

In addition to the challenges introduced by cloud, there are challenges introduced by the dynamism of virtualization in cloud:

  • Dynamic relocation of virtual machines (VMs): Hypervisors today move workloads based on the service level agreement (SLA), energy policy, resiliency policy, and a host of other reasons. IT administrators of today can no longer be sure where the workload resides in the data center.
  • Increased infrastructure layers to manage and protect: Depending on the type of cloud model in use, there are a large number of additional infrastructure layers such as gateways, firewalls, access routers, and others, that need to be managed and protected, at the same time allowing access to the authorized users to perform their tasks.
  • Multiple operating systems and applications per server: On virtualized commodity hardware, multiple workloads on a physical server run concurrently, with multiple operating systems and even with same operating systems but at different patch levels.
  • Elimination of physical boundaries between systems: As virtualization adoption increases, workloads are co-located sharing the same physical infrastructure.
  • Tracking software and configuration of VMs: As IT infrastructure becomes virtualized, it is increasingly complex to manage software configuration including patch levels, security patches, security audits, and others, not just for guest operating systems but also for other virtualized infrastructure such as virtual distributed switches.

The figure shows before and after virtualization.

Challenges with existing security products

Traditional security products encounter new challenges in the virtualized world:

  • Intrusiveness of existing solutions
  • Reconfiguration of virtual network: Some existing solutions might require reconfiguration of the virtual network to allow for packet sniffing and protocol examination.
  • Presence in the guest OS: For monitoring purposes, agents are required to be installed on the guest OS.
  • Visibility and control gaps
  • Virtual servers not connected to the physical network are invisible and unprotected.
  • Lacks automation and transparency.
  • Static security controls are too rigid. As VMs are moved around by the hypervisor, static controls need to be reapplied.
  • No ability to deal with workload mobility exists.
  • Resource overhead.
  • Network traffic analysis in each guest OS is redundant, consuming more CPU cycles.

Virtual Server Protection for VMware is shown in the next figure.

Virtual Server Protection for VMware provides the following benefits:

  • Dynamic protection of every layer of infrastructure, mitigating the risks introduced by virtualization.
  • Meets regulatory and compliance requirements.
  • Increases ROI of virtual infrastructure because it is easy to deploy and maintain security.

Integrated security benefits of Virtual Server Protection for VMware are as follows:

  • Transparency
    • No reconfiguration of virtual network required
    • No presence in guest OS
  • Security consolidation
    • Only one Security Virtual Machine (SVM) required per physical server
    • 1:many protection ratio
  • Automation
    • Privileged presence gives SVM holistic view of the virtual network
    • Protection applied automatically as each new VM comes online
  • Efficiency
    • Eliminates redundant processing tasks
  • Protection for any guest OS

An example of Virtual Server Protection for VMware architecture is shown in the next figure:

In the figure example, three ESX clusters are in three separate network zones (WEB, Transact, and Black), separated physically. Virtual Server Protection for VMware is deployed on each ESX host in the cluster (HS22V blades in this example), which monitors all VMs as they are brought online. All policy events data is forwarded by the SVM to the SiteProtector appliance.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading