Gartner Blog Network


VMware Launches vSphere (and Security Makes the Keynote)

by Neil MacDonald  |  April 22, 2009  |  4 Comments

On Tuesday April 22, VMware formally launched the next major release of its virtualization platform. The code has been released to manufacturing and will become generally available during this quarter. The atmosphere was upbeat, the buzz phrase “cloud” was generously sprinkled throughout the presentations and, most importantly, the importance of security as a core capability of the vSphere platform was emphasized. Heck, having any CEO of an IT platform company mention the word “security” in a keynote is a good sign. Paul Martiz mentioned security multiple times. Good stuff.

From a security point of view, this is a significant release:

  • vSphere includes a set of APIs for the introspection of hypervisor/VMM-level information called VMsafe.
  • Some versions of vSphere will include virtual firewalling capability built on VMsafe called vShield Zones which enforce logical firewalling policies based on a VM’s identity which move automatically with VMs as they move.
  • vSphere includes support for hardware-based root of trust measurement of the hypervisor/VMM to help detect tampering of this sensitive security layer.

Multiple enterprise SKUs were announced: Standard ($795); Advanced ($2245); Enterprise ($2875) and Enterprise Plus ($3495). One of my concerns was that VMware would limit security capabilities to only the higher-end SKUs. Well, good news and bad news. VMsafe is present in all versions. I had hoped that the vShield Zone technology would have been included with all SKUs, even with some limits (for example, limiting vShield protection in the entry level SKU to firewalling within a single physical server). However, only the Advanced SKU and higher include vShield. 

Virtualization can be used to transform information security. Security capabilities integrated into our virtualization platforms like vSphere are an important foundation for this vision.

Category: virtualization-security  

Tags: hypervisor-security  virtualization-security  vmsafe  vmware  vshield  vsphere  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on VMware Launches vSphere (and Security Makes the Keynote)


  1. The vSphere launch is terrific for virtualization security. Now that VMsafe is nearing availability, vendor placement in the ‘stages of virtualization security’ may stratify even more. VMsafe becomes the baseline, but even in VMsafe solutions there is potential for a broad range of performance and functionality. VMsafe includes Memory, Disk, and Network components. Within VMsafe-Network, there is a huge performance difference between fast-path and slow-path solutions, with fast-path solutions leveraging the hypervisor for packet processing directly in the vKernel. The ability to efficiently leverage multiple VMsafe APIs for delivering defense-in-depth designed uniquely for virtual servers is an exciting prospect.

  2. Neil MacDonald says:

    Todd,

    Yup. As I have discussed, VMsafe is not a pancea, but it does challenge the industry to think how information security might be delivered differently in virtualized infrastructure. I expect many vendors will appear offering products that tap into the VMsafe APIs, so the maturity index I proposed is usfeul:

    http://blogs.gartner.com/neil_macdonald/2009/03/13/the-5-stages-of-virtualization-security-vendor-maturity/

    I’ll hit the issue of VMsafe fast-path/slow-path in a future blog post. Those are engineering names (horrible marketing names!) that point to where the network packet processing is taking place — in the hypervisor or in a guest VM.

  3. […] outside of the OS container that the user has administrative rights in. However, these technologies are just emerging and aren’t yet mainstream on servers, let alone enterprise […]

  4. […] is the first virtualization platform to offer production releases of introspection capabilities with VMsafe in its vSphere release of its virtualization platform earlier this year. Since then, a few vendors such as Altor and Reflex Systems have released […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.