Fundamentals: Next-Generation VM Security

Jun 11, 2012


Unintended Consequences

Virtualization is now standard operating procedure, moving servers from big boxes dedicated to a single application to powerful systems capable of hosting a dozen or more simultaneous applications. But virtualization also breaks security assumptions and defense mechanisms in several ways: It hinders visibility and control, creates new avenues of attack, increases network size and complexity, and blurs managerial and administrative roles between network and server operations teams.

But the security story isn't all doom and gloom. Virtualization also presents abundant opportunities (many of them admittedly still theoretical) for improving security. Virtual software appliances that mimic the functionality of traditional hardware devices offer far more deployment options, while security software embedded in the hypervisor can provide fine-grained control and monitoring of application and network activity. For PC clients, virtual desktops (VDI) can rein in chaotic PC environments, making it easier to keep devices securely configured and consistently patched. And, as we'll see, virtualized endpoint anti-malware, which is efficiently run directly in the hypervisor, obviates the need for separate antivirus suites on every desktop.

In this report, we'll examine the state of virtual machine security and look at the ways virtualization breaks traditional security models. We'll discuss how the industry has responded with new security technologies, provide an overview of the most significant products and offer advice on ensuring that virtualization doesn't unintentionally compromise your security profile. (S5200612)

Research Report