Is Virtualization Hypervisor a 'Goldilocks Zone' for Security?


SAN FRANCISCO - Some parts of an enterprise infrastructure are too hot and some are too cold, while some are "just right" for security. VMware CTO of Networking Martin Casado dubs this "just right" area the "Goldilocks zone" and says the virtualization hypervisor is its central feature.

Current IT controls typically sit on the network periphery and are deployed in a way that is equivalent to putting an on/off switch for a residential alarm system outside of the house, Casado said. This ineffectual approach isn't working, he added.

"Security spend is actually outpacing IT spend overall," Casado told eSecurityPlanet. "The only thing that is outpacing that is security losses. It's clear that we're fighting a losing battle, and you can't buy your way out of this."

The goal of the Goldilocks zone is to put security controls at a point in the network where context and users are understood and policies can be enforced. In Casado's view that control point is the virtualization hypervisor itself. Not surprisingly Casado's employer, VMware, is a virtualization vendor -- though Casado stresed there is more to the story.

Why the Hypervisor?

Casado says the regular IP layer used by traditional network security devices with port level control does not offer full visibility into users and context. The only real horizontal layer that gives security everything it needs is the hypervisor.

"If you look at the hypervisor and why it's the Goldilocks zone, it can look into the memory of the operating system, so it delivers a lot of context," Casado said. "It is also address-level isolated, and it operates in a separate trust domain."

Another thing going for hypervisors, he said, is the simple fact that the majority of the world's IT workloads are now virtualized.

Casado has been researching the idea of using the hypervisor as a full robust security control point that is more than just a firewall.

"It is possible for us to install an agent in the guest virtual machine running on the hypervisor, for guest level visibility," he said. "This allows us from within the guest to get visibility into anything the operating system can see; we can pull out users and the type of data that is being accessed."

This visibility can then be passed down to the hypervisor to be used for security enforcement.

Improving on VMWare's Original Approach

The idea of using the hypervisor as a security control point isn't entirely new. Amazon's cloud today uses the hypervisor to provide multi-tenant isolation to its millions of customers, Casado noted. VMware also has had prior efforts that leverage the hypervisor as a security control, including the vShield technology for security zones.

"Before there was a focus on getting access to the kernel so that companies could implement traditional security controls like a firewall," Casado said. "What we didn't do is provide a comprehensive way of extracting information from the application and make that available for an enforcement point."

For now, Casado said the Goldilock zone is a research effort and VMware is not yet announcing any specific products or release timelines. Still, it marks a new direction for VMware.

"We want to start thinking about the hypervisor for both the context and the enablement of security," Casado said. "Vshield was more about just enforcing security at the hypervisor layer."

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.