Secure your virtual machines by taking the fast path approach

July 21, 2011

By: Tom Spear and Paula Parker

80% OF BUSINESSES today have some level of virtualization in their network infrastructure. Just like with physical servers, it is important to secure Virtual Machines (VMs) which have become software instances inside a host container. There are different ways to secure and restrict a VM or server. However, some methods can be slow, cumbersome and punitive. What is troubling is the growing battle of “speed vs. security” within many large organizations. A recent survey result indicated that speed still wins. Security News from Help Net Security www.net-security.org reported July 19, 2011 that the results of a Crossbeam Systems survey which polled nearly 500 participants of enterprises and service providers resulted in data indicating that “Ninety percent of respondents admit to making a trade-off between security and throughput performance.” That puts the organization, partners, employees and customers like yours potentially at risk.

So how do we address this conundrum? In the past, Security Administrators have used V-LANs to segment and secure their mission critical workloads. A second, more recent tactic has been to implement a “Slow Path” approach of securing VMs on a one to one firewall/VM ratio. This solution though, potentially uses up the hypervisor’s resource pool, slowing down the overall performance and adding a large amount of overhead. Both of the methods described above intensify the challenge of “speed vs. security”.

However, security must not be ignored. Consider the outburst in recent security breaches: HBGary Federal was breached in February of 2011, supposedly by the internet activist group “Anonymous”. In March, RSA endured a security breach from a targeted phishing attack compromising RSA’s SecurID authentication tokens which put at risk many Fortune 500 companies. Epsilon endured a breach in April, putting at risk those whose names were on millions of e-mail addresses that were stored by the company, which happens to be one of the world’s largest providers of e-mail service marketing.

Also during April, Sony’s Playstation Network was reported to have leaked personal information of over 70 million subscribers.

The company then again endured another breach in May. And, most recently, in June of this year, Citibank announced that personal and account information of an estimated 200,000 bank card customers in North America had been breached. Could the Citibank breach been linked to the massive Epsilon breach in April since it was reported that Citibank was one of Epsilon’s customers? The world is getting smaller and it would appear the attack footprint is getting bigger.

Yet, there is now a third unique solution that takes a “Fast Path” approach and can provide a balance point that removes the challenge of forgoing speed while securing the VM environment. This “Fast Path” approach doesn’t impair the ROI gained from going to the virtualization model and has minimal overhead. It was designed with high performance and virtualized security in mind. The Fast Path approach is only possible by taking advantage of VMware’s VMsafe APIs (Application Programming Interfaces). VMsafe is a security suite of API’s for the VMware Hypervisor. The VMsafe APIs allow vendors to advance security products that combat malware in ways that were not previously available to physical environments. Tom Spear, CEO of enfoPoint Solutions, http://enfopoint.com explains that the third option has a 10 times greater improvement over the alternatives in throughput with greater security, thanks to VMware opening up their API’s through the VMsafe certification program. At enfoPoint, we recommend that if you are looking for such a solution, you need a product that has had years of development and is purpose built from the ground up. Some of the features you should look for include the following:

• Agentless software to prevent malware from hiding within the hypervisor
• VM Safe certification
• Intrusion Detection System capabilities
• VM Introspection for gaining an X-Ray view of VM activity within the hypervisor
• Alerts and Reporting capabilities
• Compliance management and indicators for rating the current security posture
• High Availability (HA) options
• Ability to go from Global to granular for applying automated security policies.

This is not the future. There are products that meet all the above requirements today. Tom points out that it is important to select an agentless product so malware would have no place to hide. Malware can attack the infrastructure of a business, and can lay in wait to attack for long periods of time if left undetected. It’s an industry known problem that malware can disable agents and hide. The solution needs to be effective in addressing the security need to limit an in scope VM to a single function in order to comply with PCI DSS mandates.

THE MOST RECENT REVISION for PCI DSS compliance 2.0 was updated in the fall of 2010 specifically to address virtualization and how Cardholder Data should be treated in a Cardholder Data Environment (CDE) when the data is being processed, stored and/or transmitted (in scope). Additionally, cloud computing, both private and public, has an underlying platform based on virtualization. The PCI Security Standards Council released their “Information Supplement: PCI DSS Virtualization Guidelines” in June of 2011 stating in section 2.2.1 under Scope Guidance: “If any virtual component connected to, (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope”. So essentially, Virtual Machines that are processing, transmitting or storing cardholder data must be treated like an in scope server and limited to a single function based on PCI DSS requirements.

Both public and private cloud computing utilize virtualization because of the innate ability to optimize the performance of an organization’s network through resource pools and clustering for high availability, high performance computing, load balancing and utility grid computing. This however, also suggests a potential area of vulnerability and perhaps a security gap if security managers for both VMs and the cloud, public and private, have not taken all the due diligence necessary to secure the virtualized environment.

If your organization is considering Public Cloud Services, it is important to be aware that the PCI Security Standards Council advised that the responsibility for securing in scope VMs should be shared but weighted differently depending on the type of service the cloud is providing. See the graph below for the Council’s guidance for Infrastructure As A Service (IAAS), Platform As A Service (PAAS), and Software As A Service (SAAS).

enfoPoint Solutions offers compelling value propositions that help to address and minimize the security gaps from the issues above. Both hardware and software solutions are offered by the company that can literally address the performance and security concerns from layer 1 of the OSI model all the way through layer 7 providing not only defense in depth protection of physically connected servers but also purpose built security protection of virtual devices in a VMware environment that helps to maintain high throughput with minimal impact on the performance of organization and/or service provider’s network.

Tom enthusiastically adds that there is some break though products that have taken advantage of the VMsafe API certification program. He has invested time in addressing the solutions available and if you would like to learn more he encourages organizations struggling with the “speed vs. security” dilemma to contact him at info@enfopoint.com.
He also encourages you to please visit the enfoPoint booth at InfoSec Conference on September 15th at the Nashville Convention Center to learn more about the “Fast Path” solution.