There are many benefits that come from virtualization in the enterprise environment today. Physical server resources are allowed to reach their full potential by running more than one workload. Instances of operating systems are allowed to be decoupled from the underlying hardware and allowed to move about freely between different multiple hosts in a cluster configuration without any negative side effects.
High-availability mechanisms that were never before possible are now possible such as the ability touched upon that allows virtual machines to be restarted on a different host if the primary host fails.
Virtualized networking allows many of the same benefits to network traffic by allowing the network to be abstracted from the underlying physical network switches, wiring, and other devices.
Software-defined storage is all the rage today and allows using commodity storage that is directly controlled by the hypervisor itself. This enables much more flexibility and agility in provisioning storage and providing disaster recovery and high-availability mechanisms to protect workloads which are running on top of these software-defined, virtualized infrastructure technologies. An area, however, that is rapidly developing because of virtualization is the area of security.
In this post, we will see how virtualization technology is improving security by means of innovative ways security problems and challenges are being met with virtualized solutions.
Security is of Primary Concern
Organizations today are quickly realizing just how important security objectives are no matter what the project or what areas of the business are involved. However, especially with technology infrastructure, security is under scrutiny more than ever before. Large-scale and high-profile data breaches that make major news headlines are certainly not the kind of publicity that businesses are looking to acquire. Ransomware attacks that leave business-critical systems crippled are equally concerning. Businesses today must have a razor-sharp focus on security concerns and how they are to be met effectively.
Security can no longer be an afterthought with any plans to implement new technologies or move forward with new infrastructure. It has to be baked into the project as a necessary component so that critical parts of the security thought process, are not missed. Additionally, security planning and proper implementation is no longer simply an “IT problem”. It involves buy-in and involvement from all aspects of the organization chart, all the way up to C-level executives in most cases. Security is a mindset that must be correctly executed at all levels.
Often, the solution to challenging security problems is a good mix of effective employee training as well as a good amount of technology solutions. Together, these can bolster the defenses of the infrastructure being defended. The virtualization age has certainly changed how organizations think about security and isolation. Virtualized technologies have allowed pushing down many of the barriers of security that were found in the purely physical world.
Let’s see how virtualization has allowed security advancements in the following areas:
- Compute
- Networking
- Storage
Virtualization Advances in Security – Compute
Virtualized technology is no longer simply found on the hypervisor host. While the hypervisor itself has certainly had tremendous leaps in technology capabilities, the hypervisor has made it all the way into the guest operating system. Focusing in on this area of compute, Microsoft has made some tremendous strides in security at the guest operating system level. By harnessing advancements in Azure, containers, and the Hyper-V hypervisor itself, Microsoft has been able to implement many virtualization-based security advancements into the operating system.
Beginning with Windows 10 and Server 2016, Microsoft introduced the Virtualization-based Security technology that allows these operating systems to take advantage of the Hyper-V hypervisor. This virtualization-based security technology is able to create and isolate a secure area in memory that is isolated from the operating system and creates a virtual secure mode in which highly sensitive pieces of information can be stored and protected from malicious code exploits. By using the Hyper-V hypervisor, VBS enforces restrictions to protect such things as authenticated user credentials. Even if malware makes it onto the system, its capabilities are drastically reduced by the protection of VBS. The hypervisor effectively prevents malware from executing code or accessing platform secrets.
This allows for such solutions as HVCI or Hypervisor-Enforced Code Integrity which uses VBS to strengthen code integrity policy enforcement. This allows kernel mode checks to prevent unsigned drivers or system files from being loaded. User mode configurable code can also be checked for dangerous or malicious instructions.
As of today, at the time of this writing, Microsoft has announced that an upcoming release of Windows 10 will have a new Windows Sandbox feature that allows creating a totally secure area to test application installs to ensure the code is not malicious. The Windows Sandbox effectively creates a “sandbox” environment which is an isolated area that is totally separated from the host and in which changes do not persist. This will allow for having an extremely safe area to test out executables, potentially browse the Internet, etc. There are many potential use cases for this type of functionality that are even yet to be seen.
Virtualization Advances in Security – Networking
There is no question that one of the huge advancements in security by way of virtualization has happened in the realm of networking. Since most production workloads today are found running inside the hypervisor, traffic can effectively be filtered and segmented based on the constructs of the virtual environment.
VMware’s NSX has certainly been the standout leader in the area of data center virtualization as it has allowed abstracting the networking layer from the underlying physical infrastructure and effectively lock down traffic based on a wide range of virtualization constructs found within vSphere.
VMware NSX provides the ability to effectively implement micro-segmentation into an existing environment. This means that every single node on the network is essentially prevented from “seeing” anything else that is not explicitly allowed. The micro-segmented traffic can be defined by a number of metrics. This can be by user, VM name, IP address, virtual switch, operating system type, etc.
NSX can effectively “stretch” layer 2 networks if needed, provide distributed routing, and prevent various types of network traffic from flooding the network such as ARP. By effectively micro-segmenting the network, security is exponentially increased as an attacker would only be able to communicate with a very small subset of hosts on a segment instead of the entire segment or VLAN.
Virtualization Advances in Security – Storage
Software-defined storage is another area that has become tremendously powerful in the last couple of years. More and more environments are utilizing software-defined storage and reaping the benefits of doing so. This includes security.
One of the really great advantages of software-defined storage such as VMware’s vSAN technology is the ability to effectively use storage policies to granularly secure virtual machines even at the VMDK level. By assigning the VM encryption policy to a virtual machine, the virtual machine can effectively be encrypted on disk. This means that even if an administrator with access to retrieve the physical VMDK files were to copy the files to removable storage and take the files to a different vSphere environment, without the proper encryption infrastructure and keys to decrypt the VMDKs, the files are unusable.
Storage policies can also effectively limit a VM’s performance to a specified percentage of the storage capacity. If an attacker were to compromise a VM and wanted to disrupt production activities by performing a denial of service attack by way of using all available performance, effective storage policies will help to prevent performance related security threats.
By utilizing these and many other virtualization-based storage technologies, organizations are well-equipped to meet the challenges that come with today’s security threats.
Thoughts
Virtualization is perhaps the single-most revolutionary technology in the past several decades as it has totally changed the way organizations utilize physical hardware. Additionally, it has allowed businesses to abstract the available mechanisms for securing environments from the purely physical world. The virtualization advancements in the areas of compute, networking, and storage are providing powerful new ways that businesses have to wage the war against malware and other threats from various threat actors. These various software abstractions will continue to allow advancements in security and every other aspect of today’s modern infrastructure.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.