Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Five Myths and Realities of Virtualization Security

by Neil MacDonald  |  September 6, 2012  |  3 Comments

I’ve been researching the intersection of virtualization and security since 2007 and find myself continually running into these myths pertaining to virtualization and security:

1) Myth: Physical is better than virtual.

Reality: Define “better”. Software and virtual appliance-based security controls are more adaptable to the rapidly changing infrastructure requirements of a modern, virtualized data center. A recent case study by Intuit at VMworld documented their time to secure a VM being provisioned dropped from 30 days to 30 minutes using software-based and automatically provisioned security controls

2) Myth: Physical security control provide better separation of controls than virtual

Reality: This confuses physical separation with logical separation. Role based access control to security control functionality as well as the use of a separate security and management control plane provides the necessary separation of duties. A related myth is that “infrastructure can’t protect infrastructure:. Sure it can – and quite well.

3) Myth: Physical security appliances are faster than virtual implementations.

Reality: Yes and no. If you think of security as the serialized application of security policy enforcement at ‘choke’ points in the network (like placing an IPS at the perimeter of the enterprise or a next-generation firewall at the perimeter of the data center). The mistake in this thinking is the rationing of security policy enforcement based on physical network topology. Some of this is caused by the cost of physical appliances. Some of this is a byproduct of physical network topology. In both cases, challenge the assumption that placing big boxes at aggregation points is the best architecture. Parallelize the security policy enforcement closer to the workloads they are protecting using hypervisor-based or virtual appliance based security controls.

4) Myth: Virtual security appliances won’t achieve 40gb of inline IPS inspection speed

Reality: True, at least in the next few years – at least in a single box. The myth is in the need for 40 gb of inline speed – related to #3 above – the future of information security (like IT in general) is scale out, not scale up. Bigger and bigger proprietary boxes that consume an ever-increasing amount of our budget are not the way forward. Ask Unix vendors. Commodity x86 computing cycles are the future. Four Intel based servers each providing 10gb of inspection speed can do this today (see virtual firewalling benchmark data from Juniper/Altor). Our current security architectures based on the rationing of security controls at network choke points is a historical artifact, not necessarily the best path forward.

5) Myth: The future of information security is all virtual

Reality: The future is hybrid – physical and virtual security controls working cooperatively. Both will be used. Physical versus virtual is an enterprise deployment option, not a vendor dictate. Vendors should let you choose. Oh, and add cloud to this as well – for example, placing the security control with workloads when consuming Infrastructure as a Service.

3 Comments »

Category: Cloud Security Virtualization Security     Tags: , , , ,

3 responses so far ↓

  • 1 Robert Morris   September 6, 2012 at 12:52 pm

    Regarding myth 1, please look at the most recent Gartner study from 2010 that estimates 60% of virtual machines are less secure than their physical counterparts.

  • 2 Neil MacDonald   September 6, 2012 at 6:24 pm

    @Robert,

    There are really 3 different issues here
    1) whether or not virtualization is deployed securely – this is what your comment is in regards to
    2) whether or not physical security controls are virtualized – this is what the blog post is about
    3) longer term, using virtualization to do things BETTER than we can with physical – like introspection, malware detonation, intrusion deception, sensitive data containment, and so on

    Back to #1 – yes, that is the correct summary of my research. In 2007 I published this:
    “Through 2009, 60% of production VMs will be less secure than their physical counterparts (0.8 probability).

    and then updated this in 2010 to reflect a growing awareness of the issue and improved maturity of virtualization tools, skills and processes:
    “Through 2012, 60% of virtualized servers will be less secure than the physical servers they replace, dropping to 30% by YE15.”

    Bottom line – Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants. Good news – we are getting better. So are the vendors.

    Neil

  • 3 Adam Hils   September 14, 2012 at 12:59 pm

    Neil,

    Thanks for the thought-provoking post, Neil. A brief critique:

    Myth #1 is indeed a myth. “Better” is definable only relative to specific use case and network topology. It’s meaningless in any IT discussion about envirements as variegated (and rapidly morphing) as enterprise data centers.

    Myth #2 – I agree theoretically that separation of virtual security controls CAN be as thorough as that of its physical counterparts; however, typically separation of controls is not implemented as thoroughly as it is in physical environments.

    Myth #3 is not a myth today,given the reality of today’s network topology. Will the balance shift over time? Yes. Will it be next year? Two years from now? No. Sunk costs will prevent rapid transitions to allowing virtual security to process data center traffic at speeds approaching those achievable by appliances.

    I agree with you about Myth #4 for many use cases. However, for the forseeable future I see a need for big honkin’ boxes at the network edge.

    Myth #5 is where I most wholeheartedly endorse your view. Virtual and physical security should not compete. The most successful vendors will allow evolving customers to deploy multiple form factors to most efficiently, most completely secure their infrastructures.