Virtualization for Security Purposes

February 8, 2007 at 9:43 am | Posted in Technical | Leave a comment

Our industry’s model for data security has not changed in a long time. We peg down our perimeter, and keep a current backup of our data so that when our network is compromised, we can get things back on track as soon as possible. The problem with a perimeter-based defense, as scholars dating back to the Art of War will tell you, is that people engaged in perimeter defense tend to focus their attention outward, when their most vulnerable points are on the inside. We’re all aware that the software on our computers tends to have vulnerabilities, but there is often a large gap between discovery of a vulnerability and the hot-fix to handle it. Employees also tend to download the wrong software, click the wrong hyperlinks, and tape their passwords under their keyboards. All of these problems occur inside the perimeter, and our software solutions may or may not be equipped to detect these compromises with a routine scan operation.

Security industry leaders know that they need to make changes.  In yesterday’s interview, RSA president Art Coviello said, “As an industry of security vendors, we’ve been too self-righteous and smug–focused more on our challenges than on trying to perfect security. We’ve been motivated largely by threats, and we’ve been chasing after them while looking over our shoulders and muttering to everyone ‘We warned you’ like a bunch of latter-day Cassandras,” said Coviello, referring to the mythical Greek soothsayer whose prophecies were ignored. The solution, Coviello argued, is to worry less about individual threats and focus more on ensuring that the most important data is kept properly secure, perhaps through strong encryption. This requires data to be properly tagged and stored. Pattern-recognition systems could also be built into a company’s infrastructure, to detect and respond to suspicious behavior.  (Graeme Wearden, Cnet News.com 2/7/2007).

I really like the idea of detection systems focused inward to detect improper behavior. I think it’s the missing piece of our security puzzle.

Until the software companies present a behavior-based solution, I think our best bet for handling security is to be creative with our storage solutions in a way that protects our data. I believe server virtualization is our current best bet. Through virtualization, some of these futuristic security ideals can be used today:

  1. Virtualization can isolate programs in a way which limits an intruder’s capabilities. An example of this comes from VMware, which promoted the concept of Virtual Appliances, launching a Browser Appliance: an operating system in a virtual machine just for Internet-related tasks, like surfing, reading emails, chatting, or using P2P networks. Attacking software cannot interact with the underlying host operating system, and cannot gain access to the rest of the network.
  2. Recovery on a Virtualized system is very fast and reliable. Instead of saving files, backup solutions working at host level can copy the whole virtual machine, in some environments even if it is running, which appears as a unique file, which will take much less time to restore than re-installing the operating system and restoring data.

VMware is already working on a self-defending storage solution, in which an entire virtual layer will run security applications, which can access virtual machines and correct security problems without human intervention. This will be a breakthrough technology, and I can’t wait to try it out.In the meantime, IT folks are finding innovative ways to use virtualization for security, even at the workstation level! Baker Hill, a subsidiary of Experian, has been using VMware Ace to secure desktop and laptop PCs containing sensitive financial data. Check out this article for more details: http://www.networkworld.com/news/2006/010906-virtualization.html?page=1

Advertisements

TrackBack URI

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: