Hypervisor as virtualization's enforcer?
Some experts advocate putting more security features into the hypervisor layer, but others say that would be a disaster waiting to happen.
Computerworld - Citing performance and security benefits, virtualization vendors are shoving more add-on software into the hypervisor layer. VMware Inc., Citrix Systems Inc. and Microsoft Corp. all allow for third-party software execution at this layer of their virtualization technologies, says Neil MacDonald, an analyst at Gartner Inc.
[See related story, The scary side of virtualization.]
Is that a good thing? Yes -- and no -- say users and experts.
Early virtual machine management software resided on top of a host operating system. That went away with the development of the hypervisor -- a thin layer of software that runs directly on the hardware. A hypervisor has two advantages: It's not affected by vulnerabilities in an underlying operating system that hosts it, and it's small -- less than 100MB for VMware ESXi -- and therefore provides a very small target for attacks. "When you have that small of a footprint, the opportunities for exploits and errors go down dramatically, " says KC Condit, senior director of information security at Rent-a-Center Inc.
But that's changing. Companies like Trend Micro Inc. are beginning to offer software designed to be inserted at this layer. Doing so can improve security and give a performance boost. "The simplicity of deploying security in an agentless manner is very appealing and easier to manage," says Bill McGee, senior director of data center security product development at Trend Micro. But as more third-party software vendors insert code into the hypervisor layer, for security and other functions, the layer could get more crowded, with more updates required and a bigger attack surface.
Eric Baize, senior director for the RSA Security Practice at RSA, the security division of EMC Corp., says pushing security down to the virtualization layer is ultimately a good thing. "The more it's built in, the easier it is to deploy and manage," he contends. Eventually, he predicts, security will be rolled into the core virtual infrastructure and third-party add-ons will no longer be needed.
But others worry that the current trend may set the stage for a new set of risks.
Kris Lovejoy, vice president at IBM Security Solutions, IBM's security consultancy, doesn't think additional complexity in the hypervisor is necessarily a good idea. Most IT organizations already struggle with patch management, configuration management and change management at the operating system level. The problem could be "way worse" at the hypervisor layer, he says.
Venu Aravamudan, senior director of product marketing for VMware's server business unit, says third-party vendors that plan to include software in VMware's hypervisor layer through its VMsafe program must meet a "rigorous" certification process. So far, certified products include antivirus, intrusion-protection, anti-rootkit, firewall and network-monitoring tools. "The third-party solutions will add up over time, but customers can be assured that it will be a controlled program," he says.
But analysts remain wary about creating opportunities for vulnerabilities in the hypervisor layer. "My gut says that unless you're really diligent in managing all of that stuff, it's going to create a [security] hole. I'm bearish on the concept," says John Kindervag, an analyst at Forrester Research Inc.
Aravamudan points out that only a part of the code goes into the hypervisor. "In general, this footprint is not large," he says. The rest sits in a secure virtual machine and uses a "minimal" amount of kernel capability. "We clearly will ensure that the hypervisor doesn't double in size because you're adding all of those components," he says.
Nonetheless, MacDonald says he's still wary of advising Gartner's clients to add a lot of third-party code into the hypervisor layer. "The best advice is to keep it thin and hardened from a security perspective." he says. "Putting additional code into the hypervisor increases the attack surface."
Robert L. Mitchell writes technology-focused features for Computerworld. You can follow Rob on Twitter at twitter.com/rmitch or subscribe to his RSS feed. His e-mail address is email@example.com.
Read more about it
- The scary side of virtualization
- Hypervisor as virtualization's enforcer?
- Tighten up virtual server security, cautions Gartner
- The virtual blind spot
- Case study: Hungry for virtual server security
- Blog: Securing mixed environments - not everybody will be virtualized
- Opinion: Virtualization security assessment guides inadequate
- Virtualization's security threats
Read more about Virtualization in Computerworld's Virtualization Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- See the Possibilities Utilizing Data Visualization Do you simply want to collect data, or do you want to derive business insights from it? What if you could quickly and...
- 5 Reasons To Migrate From Cisco (ACE) to Riverbed Stingray ADC As you consider refreshing your legacy Cisco ACE application delivery infrastructure, consider migrating to the Riverbed® Stingray™ family of products and learn the...
- The Sky's the Limit for Eclipse Aerospace and VCE This case study highlights how Eclipse was able to unlock critical IP, support business growth, dial up or down resources without having to...
- Implementing Agile Systems Management in Cloud and Virtual Infrastructure The solution to the obstacle stopping enterprises from realizing the benefits of cloud computing- how to extend existing enterprise management applications to the...
- Maximize Efficiency in Your Virtual Environment with Converged Solutions Efficiency is the key to success in IT, especially in a virtual environment. But traditional infrastructure management and inflexible architectures can be costly...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have. All Virtualization White Papers | Webcasts