In my daily conversations with clients on virtualization security, one of the issues that we frequently discuss is whether or not they need virtualized security controls like firewalls and intrusion prevention systems to isolate and inspect traffic between virtual machines.
One line of reasoning goes like this: If the workloads in the VMs have similar trust levels, we don’t need these controls between VMs because we don’t have these types of controls between servers of similar trust levels in our physical environments.
While this is true, it assumes that we merely want to replicate what we have done in the physical world in the virtual world. In physical environments, we sprinkle security controls here and there in part because we constrained by the cost and physical limitations of physical appliances. But, what if you could deploy security controls like firewalls and IPSs with a push of a button in the form of software-based appliances? What if a virtualized security control was a tenth or a hundredth of the cost of the physical appliance-based physical control it replaced?
Virtualization offers us a clean slate — a chance to do things differently. Radically differently.
We’ve ended up with today’s security architectures where the limitations and costs of physical controls played a major factor in their placement. Virtualization changes the cost economics and lowers barriers to deployment and adoption. Security architectures will absolutely change – and improve — as a result.
Ask yourself – if firewalls and IPSs were essentially free and could be deployed anywhere they were needed at little or no incremental cost, would you change how you secure your infrastructure?