A virtual layer inside the hypervisor could solve cloud security. But the industry isn’t moving fast enough to impress Wayne Rash
When the only tool you have is a hammer, everything looks like a nail. That’s a tech industry cliche, but it’s certainly true in the security field.
Vendors presented what they claimed were innovative solutions at the NetEvents Cloud Innovation Summit in Saratoga, California, but all of them were remarkably similar to their existing security products. Appliance vendors suggested appliances, server vendors suggested server software, and so forth.
Some workable ideas
Fortunately, some new workable ideas also surfaced. One in particular is potentially standards-based and could actually work. Martin Casado, the inventor of OpenFlow, proposed an answer to cloud security that exists outside any individual server operating system.
Instead, it would reside in a separate layer, within, or perhaps virtually next to, the hypervisor. While Casado now works for VMware, he made it clear that such a security layer should exist with any hypervisor, not just VMware’s ESX products.
Casado, borrowing a concept from the Space Science Laboratory at the University of California, Berkeley and NASA, said that such a layer would effectively exist in the cloud’s “Goldilocks Zone.” He said that one problem with security systems that run as a guest process in a virtualised system is that once the operating system in that process is fully locked down, you lose visibility to network resources. But when you gain visibility, you lose security, he noted.
The Goldilocks Zone would be a place where both visibility and security are possible — in other words, a location that’s not too visible or not too inaccessible, but is just right. Such a layer in the hypervisor would work because it’s outside of any one virtualized server, but can observe server operations in detail.
As a spokesperson for VMware told me later, the first thing that malware invading a server tries to do is to block the operations of any anti-malware software. But since a process on a virtualised server has no way to reach the hypervisor, then the security layer that’s working with the hypervisor can take action to prevent damage.
The problem with this idea is that there’s currently no security layer in anybody’s hypervisor—whether it’s from VMware, Microsoft or anyone else. While the discussion from Casado suggests that VMware may be working on something, that’s an assumption that may or may not hold water.
… but we need help now
The problem is that cloud security is an issue that needs to be dealt with now. Malware is everywhere. It’s getting worse on a daily basis, and the people who create malware are getting better at finding ways to insert it into machines, virtual or otherwise. As good an idea as Casado’s hypervisor security layer might be, the idea needs to be turned into a reliable product right now.
Unfortunately, network vendors don’t seem to have products that apply this concept. Ask the switch vendors what to do about malware passing through the network, and you get pointed to appliances, add-on switch software or some other partial solution. One network vendor (I can’t say which one because it’s under embargo) was excited about a piece of switch software that would look for unsafe URLs, but that’s it. It wouldn’t do a thing to defend against someone’s malware-tainted laptop that got connected to the network after it was infected.
The sad truth is that most of the cloud security systems out there are echoes of yesterday when malware came in the form of an easily detected virus and the biggest risk was a disgruntled employee. Of course, those risks still exist, but in the real world, the danger goes far beyond that.
Fortunately, some companies are at least working on solutions that resemble what Casado had in mind. Wedge Networks, for example, has introduced a hypervisor-based software solution called NFV-S (network function virtualization–security), which does very much what Casado had in mind, which is to provide a security layer outside the virtualised servers. While I can’t talk about the details of some new products Wedge is announcing in the future (because they wouldn’t tell me all their secrets for some reason), they are marketing their hypervisor-based solution to cloud providers.
Wedge says it is the first company to provide such a hypervisor-based solution. While this may be the case for now, it seems likely that virtualisation providers would be building such a security approach into their products. Microsoft, for example, could decide that an integrated, standards-based security layer could give Hyper-V a competitive edge over arch-rival VMware.
One can only hope that security becomes a competitive issue in the world of virtualised systems. If we have learned nothing else from decades of operating system development, it is that security as an afterthought doesn’t work. A system needs to be secure from the ground up, and perhaps competition is the best way to deliver that.
Originally published on eWeek.