Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

VMware Launches vSphere (and Security Makes the Keynote)

by Neil MacDonald  |  April 22, 2009  |  4 Comments

On Tuesday April 22, VMware formally launched the next major release of its virtualization platform. The code has been released to manufacturing and will become generally available during this quarter. The atmosphere was upbeat, the buzz phrase “cloud” was generously sprinkled throughout the presentations and, most importantly, the importance of security as a core capability of the vSphere platform was emphasized. Heck, having any CEO of an IT platform company mention the word “security” in a keynote is a good sign. Paul Martiz mentioned security multiple times. Good stuff.

From a security point of view, this is a significant release:

  • vSphere includes a set of APIs for the introspection of hypervisor/VMM-level information called VMsafe.
  • Some versions of vSphere will include virtual firewalling capability built on VMsafe called vShield Zones which enforce logical firewalling policies based on a VM’s identity which move automatically with VMs as they move.
  • vSphere includes support for hardware-based root of trust measurement of the hypervisor/VMM to help detect tampering of this sensitive security layer.

Multiple enterprise SKUs were announced: Standard ($795); Advanced ($2245); Enterprise ($2875) and Enterprise Plus ($3495). One of my concerns was that VMware would limit security capabilities to only the higher-end SKUs. Well, good news and bad news. VMsafe is present in all versions. I had hoped that the vShield Zone technology would have been included with all SKUs, even with some limits (for example, limiting vShield protection in the entry level SKU to firewalling within a single physical server). However, only the Advanced SKU and higher include vShield. 

Virtualization can be used to transform information security. Security capabilities integrated into our virtualization platforms like vSphere are an important foundation for this vision.

4 Comments »

Category: Virtualization Security     Tags: , , , , ,

4 responses so far ↓

  • 1 Todd Ignasiak   May 12, 2009 at 7:35 pm

    The vSphere launch is terrific for virtualization security. Now that VMsafe is nearing availability, vendor placement in the ‘stages of virtualization security’ may stratify even more. VMsafe becomes the baseline, but even in VMsafe solutions there is potential for a broad range of performance and functionality. VMsafe includes Memory, Disk, and Network components. Within VMsafe-Network, there is a huge performance difference between fast-path and slow-path solutions, with fast-path solutions leveraging the hypervisor for packet processing directly in the vKernel. The ability to efficiently leverage multiple VMsafe APIs for delivering defense-in-depth designed uniquely for virtual servers is an exciting prospect.

  • 2 Neil MacDonald   May 13, 2009 at 7:58 am

    Todd,

    Yup. As I have discussed, VMsafe is not a pancea, but it does challenge the industry to think how information security might be delivered differently in virtualized infrastructure. I expect many vendors will appear offering products that tap into the VMsafe APIs, so the maturity index I proposed is usfeul:

    http://blogs.gartner.com/neil_macdonald/2009/03/13/the-5-stages-of-virtualization-security-vendor-maturity/

    I’ll hit the issue of VMsafe fast-path/slow-path in a future blog post. Those are engineering names (horrible marketing names!) that point to where the network packet processing is taking place — in the hypervisor or in a guest VM.

  • 3 No Security (or Management) Controls are Absolute When Users run as Administrators   December 17, 2009 at 2:50 pm

    [...] outside of the OS container that the user has administrative rights in. However, these technologies are just emerging and aren’t yet mainstream on servers, let alone enterprise [...]

  • 4 Doing Things Better With Virtualization   December 22, 2009 at 9:49 am

    [...] is the first virtualization platform to offer production releases of introspection capabilities with VMsafe in its vSphere release of its virtualization platform earlier this year. Since then, a few vendors such as Altor and Reflex Systems have released [...]