The complexity, frequency, and malicious intent of security attacks from many sources are increasing in today's enterprise. Likewise, IT administrators are seeing a marked increase in published vulnerabilities in the operating systems (OS) and applications. Successful attacks cost significant time and money to remediate.
Currently, the average period between the announcement of vulnerability and the introduction of an exploit for that vulnerability is about six days, and that time may continue to decrease. The threat landscape has reached a point at which exploits can arrive on almost the same day a vulnerability is uncovered - "zero-day" attacks. These attacks place a significant burden on IT to deploy patches as soon as possible, even before patches have been fully tested. Because an exploit can now arrive before a patch is deployed to guard against it, the desktop PC is increasingly vulnerable when only traditional protections are installed on the machine.
To make the situation even more challenging, such protective solutions can themselves be threatened by running security applications in an OS that has been compromised with a successful infection. An infected desktop OS can impair the performance - or even the availability - of the security solution running in the user's OS environment.
With the security threat landscape in an enterprise changing on a daily basis, IT requires more innovative ways to protect desktop endpoints. Evolutionary security enhancements have just managed to keep pace with threats, but it is clear that more revolutionary security models will be needed to protect the desktop in the future.
Virtualization may very well hold the key. Thanks to virtualization capabilities being built into a new generation of system hardware, IT managers can expect to see robust security solutions that are cost-effective and that give them appropriate levels of control.
While virtualization has been a part of the IT landscape for decades, only in the past year have its benefits appeared on industry-standard x86-based platforms, which now form the majority of desktop, laptop and server shipments.
The traditional use of virtualization in mainframe systems has been to simplify the provisioning and management of the physical resources of large server systems. In the early days, the cost of entry to virtualized infrastructure was extreme and the applications were relatively limited. But the advent of affordable, robust virtualization on the x86 platform has meant that virtual machine technology is accessible to a broad audience for the first time, which coincides with inexpensive high-performance and high-reliability hardware. The computing industry is witnessing a remarkable proliferation of new uses for virtualization, and a reinterpretation of old usages that extends well beyond the traditional mainframe.
Virtualization changes how IT thinks about resources. With virtualization, IT is no longer limited to only running one OS on a single, underutilized server or workstation. Now, IT can consolidate multiple platforms running different OSs and heterogeneous applications, onto one powerful, reliable platform.
The promise of virtualization is that it provides a layer of abstraction between computing, storage and networking hardware and the applications running on it. With virtualization, users see resources as if they were dedicated to them, while administrators can manage and optimize resources from the desktop to the data center.
Virtualization can enable CIOs and IT managers to effectively address a number of critical business challenges, including cost-effective utilization of IT infrastructure, responsiveness in supporting new business initiatives and flexibility in adapting to organizational changes. Virtualization is also a welcome technological innovation in today's climate of IT budget constraints and stringent compliance requirements.
This new era of virtualization also means that IT will have a level of security control beyond what was widely available previously.
Virtualization in action
In today's threat landscape, virus scanning alone in the user OS is insufficient protection to protect desktop endpoints. In fact, many threats, collectively called "modular malicious code," disable virus-scanning and other security applications as the first step in an attack.
Traditionally, hardware security has maintained the front line of defense backed up by client security. But imagine the potential of being able to take a dedicated security device and embedding it into the PC itself. Virtualization can make this scenario a reality.
Today, virtualization can allow for isolated execution environments in PCs that enable IT professionals to manage security threats outside the end-user's main OS environment. Embedded within new virtualization technologies in this isolated environment, security solutions like firewalls, intrusion prevention, and antivirus, will be much more resistant to tampering and "always on," monitoring and protecting the desktop.
Isolated from the user OS, virtual security solutions can also monitor the boot-up and shut-down sequences of the user OS to help protect interference from threats that target those processes when other security programs are not running.
The virtual security solution is not only independent of the health, or "state" of the user OS, it is isolated even from differences in versions of the user OS. For example, even when the user OS is updated, the virtual security solution is independent of those updates and may not need to be modified. This provides IT with a stable space from which to operate and administer security processes.
Virtues of virtual security
One of the primary challenges that will be addressed by this revolutionary approach to security is the amount of control end users have over their computing environment. Currently, end users have the ability to modify that environment by, for example, disabling security solutions and installing new programs (both authorized and unauthorized). All this creates additional threats for security administrators to worry about. Isolating the computer's protection in a virtual environment outside the main OS would virtually eliminate the typical end user's ability to interfere with security settings and increase the security administrator's control.
Deploying security in a separate virtual partition also acknowledges the realities of the emerging threats on the landscape. Increasingly, this landscape contains threats aimed at disabling security technology, and such threats are becoming more stealthy and difficult to detect. By having endpoint security - such as network access control, intrusion prevention and other advanced client protection solutions - in a separate partition, the security functionality is isolated from the OS and any possible conflicts within the OS environment. In the event that malware is successful in infecting a desktop environment, the virtual security solution would contain the threat on that particular desktop, preventing spread of the infection.
Virtualization can also improve IT's management capabilities, especially in the areas of remote management, provisioning, problem resolution, asset management and off-hours maintenance. Because a virtualization solution works even if the user OS or hard drive is compromised or down, IT can troubleshoot remotely, provide fixes for software problems, and determine any hardware needs before sending a repair technician. Such a virtualized management environment also provides more accurate information for compliance and day-to-day IT management reporting.
The use of the latest virtualization technology will offer a major step forward in enterprise security. This innovative approach creates a new layer of security that will be more effective in protecting critical information and applications. Virtualization will also help enterprises to lower IT costs through increased flexibility and responsiveness. Managing a virtual infrastructure enables IT to connect resources to business needs quickly and consistently.
-Leo Cohen is vice president and fellow at Symantec. Steve Grobman is strategic planning director and principal engineer at Intel Corporation.