The rush toward virtualisation of internal enterprise computing resources and cloud computing can have many advantages, such as server consolidation, but it's largely outracing traditional security and identity management practices.
That's leaving huge gaps, a sense of chaos and questions about where security products and services should be applied in the world of multi-vendor virtual-machine (VM) hypervisors.
"Virtualisation will radically change how you secure and manage your computing environment," Gartner analyst Neil MacDonald said this week at a Gartner Security and Risk Management Summit in the US. "Workloads are more mobile, and more difficult to secure. It breaks the security policies tied to physical location. We need security policies independent of network topology."
Gartner estimates almost half of x86-based server workloads are virtualised today, with VMware the clear market leader, but with Microsoft Hyper-V on the rise and Citrix a contender. Gartner advocates that enterprises plan to move to a private-cloud architecture. But at the same time, the consultancy acknowledged management tools and security really haven't risen to meet the occasion.
"The hypervisor will be less secure than the physical systems they replace," MacDonald said. "The integrity of that bottom layer is paramount. The hypervisor layer you don't want compromised."
Today there's often a "lack of visibility and controls on internal VM-to-VM communications," said MacDonald. "Should VM No. 1 be talking to VM No. 3? How do you know they're not attacking? The traffic never comes out onto our physical network." Some companies are willing to live with this uncertainty, others not, MacDonald said.
But it's questions such as these that demand to be addressed to find out what options exist to tackle virtualisation and cloud security. In MacDonald's view, there needs to be a wide range of security controls in the VM, such as virtual firewalls, intrusion-prevention systems and antivirus, in addition to load balancers and traffic shapers.
Increasingly, vendors such as Altor, Cisco, Juniper, IBM, Hytrust, HP, Enterasys, McAfee, Catbird, StillSecure, Sourcefire, Reflex Systems and StoneSoft are offering virtual-appliance options for firewalling, monitoring and intrusion-prevention, for example. For the VMware platform, "Check Point has gotten furthest along," said MacDonald. "After a slow start, finally the big security vendors are making progress on their virtual-security controls."
VMware has provided VMSafe APIs to facilitate hypervisor-based "introspection" so that multiple software agents are no longer required. The need to deploy and run agent software has traditionally "been the bane of our existence," MacDonald acknowledged. But there are still a lot of questions about exactly how this works.
Trend Micro, seen as the No. 3 player in antivirus behind Symantec and McAfee, has been the fastest to embrace some of VMware's ideas on this, including support for VMware's latest security APIs, vShield in its Deep Security product that can perform A/V scanning for vSphere. Trend Micro has been charging less for VM-based A/V software, perhaps figuring "it has nothing to lose," MacDonald said.
The downside of the Trend Micro Deep Security approach with vShield, though, is that "stub code" for VMware is still needed to make it work and a hypervisor extension, plus it's for Windows only and it quarantines but does not remove malware infection; it only does anti-malware scanning, MacDonald said. And the possible drawback with vShield, which has the software taking on the role of firewall, is that it's so specific to VMware vSphere, customers will end up with "another silo."
The transition to more virtualisation-focused software-based security controls, though now filled with uncertainties, is still expected to occur, and though only deployed "in the single digits today," by 2015, Gartner predicts 40% of security controls, such as antivirus, will be virtualised. This will happen, MacDonald added, despite the fact that vendors such as Cisco and Juniper have been dragging their feet because they like to sell "overpriced physical hardware."
At this point, the main idea is to "treat the virtualisation platform as the most important IT platform in your data centre, from a security and management perspective," MacDonald said.
For those responsible for the identity management arena in the cloud, however, the situation appears to be particularly challenging.
"Until about two years ago, we were talking about how to do identity management internally," said Gartner analyst Gregg Kreizman. "Now, it's about how do we get our arms around the SaaS [software-as-a-service] problem? Or we used to manage the applications but now they're in the cloud" ... so it's leading to a never-before-asked question, "How about if we have our identities there?"
This is the cloud relative to the on-premises systems of yore, Kreizman said, and with SaaS providers using different interfaces, there's now a growing "interface risk" of a wider attack surface, plus more people potentially with their hands on the data. Google "is not very upfront about their security practices," Kreizman said. "Salesforce is a little bit better."
"Unfortunately, the default way to get identity information into a SaaS is to administer directly," said Kreizman. "A FTP or a Dropbox might be involved." Dropbox is a service that has suffered several security failures, including one this week involving a password-management problem that left user information exposed.
Companies today wanting to extend their corporate identity management systems to the cloud can seek to extend corporate identity-management systems, such as those from CA (which acquired Arcot Systems) or IBM, to specific cloud providers, if it's supported, in a hybrid arrangement. In addition, Exostar and Covisint fall into a realm now called a "community federation hub" to serve specific types of groups, in this case mainly aerospace, defense, auto manufacturing and healthcare. "It's a collection of users willing to pay for identity services under established federations and SaaS providers," Kreizman said.
There's a stampede of new choices racing into the identity-management market to hook up to the cloud, creating a "volatile market" and even "kind of a Wild West here," said Kreizman.
Among the players are Okta, Clavid, Symplified, Onelogin, Ping Identity (which also offers stand-alone federation software) and Nordic Edge (acquired by Intel). Some traditional identity and access management vendors, including Fisher International, idEntropy, Novell and Lighthouse, are selling packages and services for the benefit of cloud providers and customers.
VMware last August acquired TriCipher with the expectation of giving customer easier controls for SaaS in the future. And RSA technologies are expected to be leveraged in the cloud-trust authentication system that's expected to go into beta soon.
Although identity and access management as a service is still new, Gartner expects this could grow enormously in just a few years, from about 5% of identity and access management sales to as much as 20% by the end of 2012.