Virtualization stands to bring enormous cost savings to organizations by (1) streamlining the management of servers, (2) improving the utilization of servers, and (3) reducing the space and electrical power required to run data centers. Our economic environment is only accelerating the adoption of virtualization.

As with all technological advances, virtualization creates new security issues. First, the hypervisor itself represents a new attack surface which must be protected. If an attacker compromises the hypervisor, he/she has access to all of the VMs running on that physical host.

Second, collapsing multiple servers into a single host with multiple virtual machines (VMs) eliminates all firewall, intrusion prevention and other protections in existence prior to virtualization. Existing network security solutions are blind to traffic between VMs because they are no longer in the data path.

Third, VMware provides features like VMotion and Distributed Resource Scheduling (DRS) which allow for hardware and capacity pooling by enabling VMs to move from physical host to physical host as performance needs dictate. VM provisioning is also very quick and easy. So while virtual environments can scale in a flash, the security policies that control access and suppress malware proliferation cannot, unless the process for doing so is equally automated and scalable. Consequently, the contents of VMs and the applications they host are at high risk from inappropriate access, malicious traffic and poor, in some cases inherited, security posture.

Fourth, due to the dynamic nature of a virtualized environment, ensuring that sensitive data is always protected is much harder. In most virtualized environments, additional VMs for databases are provisioned on demand to meet capacity requirements, and often move over the course of a day to balance workload.

In order to mitigate these new security risks and re-establish regulatory compliance, new solutions are required because the security technologies of the physical world are not appropriate for securing
virtualized environments. Physical security solutions are tethered to traditional networking concepts (i.e. physical servers and switches, IP and MAC addresses) which are not reliable VM identifiers in the highly dynamic world of virtualization. Not to mention, they do not offer any protection against hypervisor attacks.

For a layered defense-in-depth architecture, Cymbel recommends two complementary products: (1) a hypervisor-based firewall/IDS, and 2) an agent-based database protection solution.

Hypervisor-based Firewall/IDS Solution

VLAN Segmentation and Agent-based firewalls both have serious drawbacks including complex administration, performance reduction, and lack of hypervisor protection.

The only viable approach is to leverage VMware’s VMSafe APIs and actually reside in the VM Host Kernel. From there, the virtual firewall can control all traffic into and out of each VM and between VMs, protect the hypervisor and the VMs from malware, and control the applications running in each VM. Cymbel has partnered with Trend Micro for their Enterprise Deep Security solution.

Database Activity Control and Threat Protection

Because VMs for databases are (1) provisioned on demand to meet capacity requirements and (2) easily moved from one server to another, network-based database security cannot be reliably used. Only an agent which runs in the database VM can provide reliable database protection. Ideally the agent will protect against threats such as SQL Injection attacks, provide access control, and provide activity monitoring. Cymbel has partnered with Imperva for their SecureSphere Virtual Appliances.

Database Encryption

Database encryption is another layer of data protection that is well suited to the virtualized data center. The database encryption solution consists of two components:

• Agent which resides in the VM. Initially, the agent sends unencrypted data to the database encryption server and receives back the encrypted version. When a request is made for encrypted data, the agent transparently sends requests to the Server to decrypt the data.
• Server which holds keys, performs encryption and decryption.

While this may sound difficult, the process is completely automated using triggers, views, and stored procedures.

Cymbel has partnered with SafeNet.