Virtualisation requires new security models: Quane

Traditional security models are slowing down virtualised environments and creating an untenable management burden as aggressive cloud-computing adopters skimp on security to ensure they don’t become victims of their own virtualisation success, a security executive has warned.

Speaking to attendees at the Evolve.Cloud cloud-security conference in Melbourne, Steve Quane, chief product officer and executive vice president with security vendor Trend Micro, said many companies had rushed into server and desktop virtualisation with the best of intentions – but quickly found themselves in trouble as conventional scanning-based security architectures created competition for finite server resources.

In the absence of an architecture that can accommodate the architectural differences of a virtual environment – namely, that large numbers of virtual machines will initiate CPU and hard disk-draining security scans without regard for other VMs simultaneously doing the same – the result is often severely compromised performance that negates the business value of the virtual infrastructure.

“They’re all reaching into the same infrastructure that is now shared,” Quane explained, “as if it was their own in the old physical world. We’ve seen that very quickly, traditional security architectures started bringing virtual security architectures to a halt. All the benefits of increased density, increased performance, and lower capex and opex, started disappearing when customers deployed security.”

In an organisation that may have just spent millions on a server virtualisation project, Quane warned, poor performance can put IT executives in a difficult situation; many simply disable security altogether and hope for the best.

Performance isn't the only problem: keeping security consistent in such virtual environments has proved problematic, with many companies having to take on more technical staff just to keep up with the management of hundreds or thousands of virtual machines. “They’re boosting head count to deal with things as simple as vulnerability patching,” Quane said. “Watching the evolution of the physical to virtual transition, we see this problem getting worse and worse.”

Granular security

Although tools for managing virtual environments are steadily maturing to help overcome some of these issues, the complexity of managing security in virtual – and increasingly mobile – environments is leading many vendors and customers to consider a different security approach altogether.

Rather than relying on broad security architectures to protect all manner of different devices stored in internal and external clouds, Quane foresees a growing shift towards data encryption and the use of virtualisation to sequester business-sensitive workloads. For example, a financial-services organisation might use encrypted virtual servers to cordon off systems related to its PCI DSS compliance, which is necessary for any company handling sensitive financial information such as credit card details.

While encrypting virtual machines will provide some measure of protection, however, other organisations are adapting to the virtual and increasingly mobile environment by moving their focus towards encrypting the data itself – using one or many encryption keys that are stored separately to the data.

This approach would overcome issues with data privacy, particularly given ongoing concerns that public clouds are inherently problematic places to store sensitive information. By encrypting the data and storing the encryption keys out of the cloud, companies can retain control over their information no matter what architecture they adopt – or where the encrypted data ends up.

"Encryption has been around forever, but the ability to deploy it in a virtualised environment offers new possibilities for companies," Quane said. "Not only can companies keep departments like HR, finance, and engineering separate – but they can ensure compliance for specific applications in a private cloud infrastructure."

"When you move to that modular architecture, the true benefit of this approach is the flexibility to use whatever computing infrastructure you want, with the same security posture. It enables you to not only get the business benefits of virtualisation and the cloud, but provides the ability to securely move in and out of the cloud depending on your business needs. We've already seen hundreds of customers move to this architecture and get those benefits."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies