April 10, 2013 | Written by: Chenta Lee
Share this post:
How much money would you pay for the security on hypervisors? Let’s ask another question. How much did your hypervisor cost?
So many great hypervisors are free, and some of them are even open source projects. For instance, kernel-based virtual machine (KVM) is free and open source, Oracle’s VirtualBox is free and even ESX hypervisor is free.
When you could build your virtual infrastructure for free, why would you pay for the security solution on it? It is always good to get free stuff, isn’t it?
It’s no surprise that it is easy to build a security solution ourselves. Using network security as an example, you could use Snort with some routing changes to implement an intrusion prevention system (IPS) to protect your virtual machines. Moreover, software defined networking (SDN) provides more flexibility in your network topology. We could even route the inter-VM traffic to a physical IPS and then route it back. Therefore, security solutions must come with the infrastructure as a service (IaaS) solution; it will be extremely hard to sell it alone, especially when customers could build it for free.
So why do people still buy IaaS solutions when they could build it themselves? There are two main reasons. The first one is the maintenance effort, and the second is the efficiency. An IaaS solution usually comes with a good management interface, and it could also easily integrate with other services in your environment—not to mention the automation magic that IaaS provides. You could provision 100 VMs in the morning and take them back at night by a single click.
To build your own IaaS solution, how much time do you want to spend on it? How long are the stakeholders willing to wait? When talking about efficiency, we don’t want to reinvent the wheel. Thus, it is time to purchase an existing IaaS solution and then start standing on the shoulders of giants.
A comprehensive security solution should be able to integrated into other IaaS solutions and not just stand alone. It should have at least two characteristics to make itself IaaS-ready:
1. The interface for retrieving information from VMs
The information we could retrieve from VMs includes: vulnerability report, security events, activity report, network usage statistic and so on. Providing an interface for retrieving information from VMs could make other IaaS solutions integrate that data into their management interface, for example, showing security events on a centralized console. Customers want a unified console where they can see the overall analysis report, and it is unlikely they’ll install a second console just for seeing the security events.
2. The interface for policy management
This is about the unified management interface that we should provide to users. The administrators should use the original IaaS management console to manage the security policy for their VMs. Plus, there is information that could only be retrieved from the IaaS management interface, and we need it to design the correct policy. For instance, administrators would like to deploy different policies to different VM groups, and this grouping information is only known by the IaaS solution.
Integration to an IaaS solution is necessary because we can not only make security solutions more attractive but also extend their capabilities to a higher level.
What do you think about this idea for hypervisor security? Share your thoughts in the comments.