Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Lessons from the Windows Firewall on the Evolution of Virtualization Security

by Neil MacDonald  |  November 8, 2010  |  2 Comments

In this research note on deploying Windows 7 security features for clients, I explore in detail the security capabilities baked into Windows 7 – AppLocker, BitLocker, BitLocker To Go, the Windows Firewall, USB Port Control and so on.

One question I get from clients is whether or not to use the built-in capabilities of Windows or to use third party solutions for these capabilities.

Is security weakened by using what is built into the OS?

There’s some hype here and some reality. The hype would be that Microsoft’s own technologies couldn’t be used to protect Microsoft’s own OS. The reality is

1) Typically what is baked into the OS is not as capable as solutions from third party security vendors

2) As with any security solution that runs on the platform it protects, a user with administrative credentials could potentially disable the security control. This is an issue with any platform where users have unimpeded administrative access and affects all EPP agents, not just Microsoft’s.

2) Typically, what is baked into the OS requires a separate management console which isn’t integrated into what the organization may use for the formulation of other security policy. This creates two problems.

First, there is the potential for loss of separation of duties if the operational staff supporting Windows are the ones now setting security policy. Separating the formation of security policy from the operational management of the enforcement points prevents conflicts of interest and reduces the chance for an insider attack. This is frequently an area that auditors will focus on.

Second, the introduction of another console for security professionals to set security policy increases the chance for misconfiguration and mistakes.

The real benefit in having Microsoft include security capabilities into its platform has been in keeping the pricing for security capabilities rational for everyone. I’ve seen pricing for Endpoint Protection Platforms (firewall, antivirus, antispyware and some HIPS capabilities) drop by more than 1/2 in the past three years. Microsoft is at least a factor in this drop.

How does this pertain to virtualization security?

As I have talked about in my research on virtualization and security and in this recent research note for clients on VMware’s recent vShield line of offerings, we’ll see a similar evolution in virtualized data centers. Yes, more capable solutions will be available from third party security vendors. And, while separation of duties can be maintained by using role-based access control to vShield Manager, I’d rather see a consistent way to management policy across physical and virtual environments – which is an area that VMware won’t go (just like Microsoft doesn’t make security products for the Mac).

So what will be the impact? I expect that just like some third party EPP vendors manage the Microsoft firewall and some third party encryption products manage BitLocker, some third party security vendors will manage VMware’s offerings, helping to deliver a consistent policy management interface. Just like Microsoft’s security offerings have been a factor in pricing, I expect that VMware’s offerings will help to keep pricing rational for virtualized security for all of us. Finally, VMware’s offerings will likely accelerate physical appliance-based security vendors into more rapidly addressing the needs for security in virtualized data centers and evolving these to support the need for security in private cloud architectures (which I talk about in detail for clients in this research note).

2 Comments »

Category: Endpoint Protection Platform Virtualization Virtualization Security Windows 7     Tags: , , , , ,

2 responses so far ↓

  • 1 Andre Gironda   November 8, 2010 at 12:29 pm

    I trust Microsoft and VMware. They bake security into their products, especially their security features.

    Since you, like the rest of the world, appear to be obsessed with security features and products — while less impressed or unaware of secure coding — it may surprise you to hear that third party tools, especially ones claiming security features, often are the weakest link from a secure coding perspective.

    FDE confuses me most of all. BitLocker, while technically a better solution for every reason (and also that it adds native integrity checking via TPM) is never considered a good organizational fit because Enterprise decision-makers are easy to win over by bells and whistles. They are lemmings that follow advice from industry analysts and regulatory standards.

  • 2 Neil MacDonald   November 8, 2010 at 5:23 pm

    Andre,

    Please take a look at my previous posts on application security and you’ll see that I am a huge proponent of secure coding. Yes, Microsoft and VMware have secure development lifecycles as do the vast majority of security offerings on the market. This becomes part of your RFI/RFP dilligence. Of course, even with SDL, Microsoft and VMware will have vulnerabilities so the issue of secure coding seems like a red herring and orthogonal to the discussion.

    On BitLocker – I’ve said this in research as well as my colleague John Girard. BitLocker is Good but not Great.
    http://www.gartner.com/DisplayDocument?id=1210543
    I have a lot of clients that use it and many more that still prefer third party products. What you call “bells and whistles” others might call mangeability and TCO. For example, the issues with BitLocker we see most often cited are SSO, smart card access to the boot drive, key management outside of AD, auditing, the requirement for FIPS 140-2 certification, and so on.

    I’m not for or against Microsoft or VMware. I’m an advocate for our clients who have to deploy and manage this infrastructure.

    The advice is the same: understand the pros and cons of the “good enough” security capabilities that are baked into these platforms and then make an educated cost/benefit/risk decision on whether or not a solution from another vendor is required.

    It would be a mistake to assume a security capability provides the right fit just because it is included with/provided by Microsoft or VMware. That sounds much more lemming-like.

    Neil