Archive

No one will pay for the security on a hypervisor

Share this post:

Austrian ForestHow much money would you pay for the security on hypervisors? Let’s ask another question. How much did your hypervisor cost?

So many great hypervisors are free, and some of them are even open source projects. For instance, kernel-based virtual machine (KVM) is free and open source, Oracle’s VirtualBox is free and even ESX hypervisor is free.

When you could build your virtual infrastructure for free, why would you pay for the security solution on it? It is always good to get free stuff, isn’t it?

It’s no surprise that it is easy to build a security solution ourselves. Using network security as an example, you could use Snort with some routing changes to implement an intrusion prevention system (IPS) to protect your virtual machines. Moreover, software defined networking (SDN) provides more flexibility in your network topology. We could even route the inter-VM traffic to a physical IPS and then route it back. Therefore, security solutions must come with the infrastructure as a service (IaaS) solution; it will be extremely hard to sell it alone, especially when customers could build it for free.

So why do people still buy IaaS solutions when they could build it themselves? There are two main reasons. The first one is the maintenance effort, and the second is the efficiency. An IaaS solution usually comes with a good management interface, and it could also easily integrate with other services in your environment—not to mention the automation magic that IaaS provides. You could provision 100 VMs in the morning and take them back at night by a single click.

To build your own IaaS solution, how much time do you want to spend on it? How long are the stakeholders willing to wait? When talking about efficiency, we don’t want to reinvent the wheel. Thus, it is time to purchase an existing IaaS solution and then start standing on the shoulders of giants.

A comprehensive security solution should be able to integrated into other IaaS solutions and not just stand alone. It should have at least two characteristics to make itself IaaS-ready:

1. The interface for retrieving information from VMs

The information we could retrieve from VMs includes: vulnerability report, security events, activity report, network usage statistic and so on. Providing an interface for retrieving information from VMs could make other IaaS solutions integrate that data into their management interface, for example, showing security events on a centralized console. Customers want a unified console where they can see the overall analysis report, and it is unlikely they’ll install a second console just for seeing the security events.

2. The interface for policy management

This is about the unified management interface that we should provide to users. The administrators should use the original IaaS management console to manage the security policy for their VMs. Plus, there is information that could only be retrieved from the IaaS management interface, and we need it to design the correct policy. For instance, administrators would like to deploy different policies to different VM groups, and this grouping information is only known by the IaaS solution.

Integration to an IaaS solution is necessary because we can not only make security solutions more attractive but also extend their capabilities to a higher level.

What do you think about this idea for hypervisor security? Share your thoughts in the comments.

More stories

Why we added new map tools to Netcool

I had the opportunity to visit a number of telecommunications clients using IBM Netcool over the last year. We frequently discussed the benefits of have a geographically mapped view of topology. Not just because it was nice “eye candy” in the Network Operations Center (NOC), but because it gives an important geographically-based view of network […]

Continue reading

How to streamline continuous delivery through better auditing

IT managers, does this sound familiar? Just when everything is running smoothly, you encounter the release management process in place for upgrading business applications in the production environment. You get an error notification in one of the workflows running the release management process. It can be especially frustrating when the error is coming from the […]

Continue reading

Want to see the latest from WebSphere Liberty? Join our webcast

We just released the latest release of WebSphere Liberty, 16.0.0.4. It includes many new enhancements to its security, database management and overall performance. Interested in what’s new? Join our webcast on January 11, 2017. Why? Read on. I used to take time to reflect on the year behind me as the calendar year closed out, […]

Continue reading