Analytics Summary: VMware Security

ENTER THE VMSAFE
In February, VMware announced an official API for ESX hypervisor security under its VMsafe program, aiming to provide a common toolset for monitoring traffic through the hypervisor, making hosts a touch more transparent. The list of backers reads like a who's who of security vendors and includes everyone from big guns to virtualization security specialists.

VMsafe enables third-party security products to gain visibility, using ties to the ESX hypervisor, into the operation of a virtual machine to identify and eliminate malware, such as viruses, Trojans, and key-loggers. Security vendors can leverage VMsafe to detect and eliminate malware that is undetectable on physical machines.

VMware's pitch implies that VMs running in a VMsafe ESX host are actually safer than physical servers because of process monitoring and inspection techniques that can occur, thanks to the abstraction of guest operating systems. Visibility into hypervisor activity provides the opportunity for revolutionary observation and analysis tools for security vendors.

VMware says VMsafe includes sharing an "open, interoperable, and cross-platform set of technologies with partners so they can provide innovative security solutions." "Open" in this case refers to compatibility of products within the VMware ecosystem; applications from diverse third-party vendors should play well with others, as long as all apps are written to spec. VMsafe should provide customers with better security, granularity, visibility, correlation, and scalability in virtual machine deployments. VMsafe integration allows third-party security tools to monitor VM memory pages and CPU states; enables filtering of packets within the virtual network, both to the hypervisor and intrahost connections between VMs; provides in-guest, in-process APIs for complete monitoring and control of process execution; and allows for storage control for guest VM disk files.

Current VMsafe partners are Altor Networks, Apani, BigFix, BlueLane, Catbird, Cenzic, Check Point, Configuresoft, F5, Fortinet, Fortisphere, IBM, Imperva, Kaspersky Lab, McAfee, Montego Networks, Reflex Security, RSA, Secure Computing, Shavlik, Solidcore, Sophos, Symantec, Third Brigade, and Trend Micro.

So just how safe is VMsafe going to make us? Time will tell. While a number of capable virtualization security products already are on the market, and most of those vendors are VMsafe partners, as of early June, VMware and its partner companies had yet to produce a security product to the VMsafe specifications.

Still, we should see something soon. In every case, interviews with representatives from VMware, Symantec, Fortisphere, and Reflex Security showed a strong, almost obsessive, drive to get products to market.

It's encouraging that VMware is partnering with a wide range of companies, from small startups with niche, virtualization-centric security products to large, established vendors. We've been critical over the past few years concerning the absence of VM integration with enterprise-level security tools--and the seeming apathy of vendors in this regard. In hindsight, it's clear that established security players such as McAfee, Symantec, and Sophos were reluctant to invest heavily in potentially proprietary hooks for securing VMware; VMsafe provides vendors with a standard API, and customers with a level of confidence for investment. Still, 30% of respondents to our survey say they won't make any virtualization-security-specific purchase in fiscal year 2009. Fifty-eight percent will make only minor investments in virtualization security, planning to spend less than $50,000 on VM-specific tools over the next year.

That sounds about right to us. Unless you have a clearly identified risk associated with your ESX environments, we recommend holding off on making large-scale virtualization-specific security investments. A fiscally conservative and targeted approach makes sense until VMsafe is fully baked.