Critical Infrastructure Security

Industry Innovators: Virtualization & cloud security

Our last product section really is the 800-pound gorilla in the room. The cloud and its core-enabling virtualization architecture needs a special kind of security. This section represents an interesting dichotomy itself. Every time we see a superior product or very creative organization in this space, it gets swallowed up by another company. Virtualization has become so critical to the evolution of the enterprise that anything that addresses it is important and desirable. That is especially true of security products.

Virtual systems are notoriously difficult to secure at the virtual machine (VM) level. The most successful efforts to do this have come out of virtual interpretations of traditional physical network security. Still, there are special challenges that virtual systems present. For example, there is a lot of data that is, really, infrastructure data passing over the virtual enterprise. That data must be protected, just like the traditional data we see in a physical enterprise.

If we take our virtualization to the cloud – and virtualization is the cloud's enabler – we run into some ugly challenges, some technical and some not. The technical challenges relate to the shared nature of the cloud. How do we protect our virtual environment, especially if we do not own or administer it?

On the not-so-technical side, if we do not own the environment how do we build contracts that allow us to control our own security? Most public cloud providers will not allow users to take certain kinds of security measures. So we're really back to protecting the data because we cannot do much for the infrastructure.

Our products in the cloud/virtualization section this year take these challenges head-on. Addressing the issue of virtualization and the security surrounding it is the province of one of our Innovators. The cloud is the jurisdiction of the other. We predict that these two companies won't be around in their current forms for long. They are likely to attract bigger fish and well they should. They are the proverbial right thing in the right place at the right time.

If you are in the market for cloud or virtualization action – and most of us are in one way or another – give these two a very close look. They have serious solutions for serious challenges.

Intigua

The usual way to manage a physical system is to place appropriate management agents on the device to be managed. Whatever the management function, there must be an agent in place to facilitate administration. Typically this has been ported to the virtual world as well. However, there are some challenges in the virtual that aren't as magnified in the physical world.

For example, there are likely to be more devices in a virtual environment than in a similar physical environment because it is easy and cheap to deploy them. While this results in server sprawl, it is, nonetheless, a reality of virtual environments. Another related issue is that it is common to have multi-tenant environments in the virtual environment and this results in more devices to manage.

The big problem, however, is the relationship between the management agents and the operating environment in the virtual. Management agents are tightly coupled to the operating environment and that can cause conflicts and performance degradation in the virtual since parts of the operating environment are shared. When VMs start to fail because of performance overhead or memory leaks caused by management agents, they must be restarted. During provisioning, it is common to need configuration changes to accommodate management agents.

This Innovator has solved these challenges by encapsulating management agents in a virtual sandbox allowing a single agent for a particular management tool to be used across all of the VMs that need to be managed. Since the virtual agents are hypervisor-aware, they can discover rogue VMs that do not have the proper agents.

Intigua addresses such common management tasks as change management, anti-malware, vulnerability testing and backups. A side benefit of this architecture is that access to VMs by administrators can be controlled. Prior to this approach, all administrators needed full administrator rights on all machines. With Intigua, they only need access to those agents that are required to manage access to the VMs themselves. This enforces the security principle of least privilege.

Intigua has a positive impact on performance, manageability and security in the virtual world, and that certainly is an innovative solution to a very real problem.

AT A GLANCE

Vendor: Intigua

Flagship product: Intigua

Cost: Starting at $75 per OS image (virtual or physical) per year for base product.

Innovation: Virtualization of the management layer.

Greatest strength: Deep understanding of the system administration process in virtual systems.


CloudPassage

Typically, data center administrators have applied security controls in the traditional manner. There are firewalls, authentication mechanisms, vulnerability assessment, logging, alerting and more. When the data center migrated to the cloud, it was tough to take these functions along for a lot of reasons.

First, virtual machines don't behave exactly like their physical counterparts under the covers. That means that such things as firewalling can be challenging. Managing access control can pose equally daunting challenges. As well, in a public cloud these problems are exacerbated by the legal issues surrounding multitenant environments.

Cloud Passage addresses these problems by placing the appropriate security in the cloud at the server and managing it centrally. Operationally, this matches the infrastructure-as-a-service model. While the deployment is different from a security deployment in the physical data center, the functionality is quite similar. Access management still is access management, file integrity monitoring still is file integrity monitoring and host-based firewalls run on the virtual machines, just as they would on physical servers.

However, with such features as GhostPorts, network access can be provisioned – and de-provisioned – across the virtual network. Coupled with account management and event logging and alerting, administrators get a comprehensive picture of who is doing what in the virtual environment. Because all of this takes place in the cloud, management is efficient and costs are kept to a minimum.

The Halo agent goes on each server and it has a very small – less than 100MB – footprint. Its memory footprint is even more efficient. It runs on Windows servers later than 2008 and on many flavors of Linux. Of course, in order to protect a server one must have control over it, so Halo is intended for private cloud deployments where the servers are not shared. Halo also improves the management efficiency in private data centers where the physical environment has migrated to the virtual.

Overall, the innovation here is the moving of security functionality to the cloud while addressing the unique challenges of cloud and virtual computing. Since Halo is delivered as SaaS, there is no special hardware required, and security administrators will feel right at home with the functionality.

AT A GLANCE

Vendor: CloudPassage

Flagship product: Halo Professional: 

Cost: Starts at $.10 per server-hour.

Innovation: Moved security from the physical to the virtual to protect cloud-based systems.

Greatest strength: Vision and understanding of the cloud computing paradigm and the unique security deployments needed.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.