VMsafe is essentially set of APIs at the level of the hypervisor/virtual machine monitor that VMware has opened up to developers (primarily of security tools). Since the virtual machine monitor arbitrates all access between the OSs that run on top of it and the shared hardware underneath (memory, CPU, disk and network), security vendors can tap into this unique visibility to provide new and improved types of security capabilities.
This concept of VMM-level visibility (“introspection”) holds the potential to radically transform security in virtualized environments and I have discussed this in detail in conference presentations and in published research. However, there are significant issues to be resolved with this approach, many of which will not be addressed in VMware’s first release of a VMsafe-enabled version of ESX (expected later this year).
In a previous post, I discussed how the legacy security vendors are fighting the move to virtualize – dragging their feet on delivering solutions we need for securing virtualized environments. I’ve seen the lack of VMsafe availability used as a stalling tactic by the vendors (“we’re waiting on VMsafe before delivering our solution…”). Don’t believe it. Network-based security protection can be run in ESX today as a virtual appliance and provide firewall and intrusion prevention services for the internal virtual network traffic. Host-based security protection solutions such as AV can be run today inside of a guest VM to provide protection within the VM. Sure, in the future VMsafe may enable these solutions to install more easily, possibly reduce the number of agents and potentially transform the way we secure virtual environments. Awesome! If I’m responsible for VM security, I’ll consider it after the APIs ship, after the vendors finally ship their VMsafe-enabled solutions, after I’ve got a level of comfort that these VMsafe-enabled security solutions don’t in of themselves introduce new security vulnerabilities, after I’ve tested both thoroughly and when I’m prepared to migrate (oh, and when I’ve got the budget).
Note to self: Check back on VMsafe in at least a year when all of this starts to become a reality. Radical transformation can wait. I’ve got real virtualization initiatives that need to be deployed securely now.