Two weeks ago at the Citrix Synergy conference, McAfee and Citrix announced a strategic partnership and collaboration with a goal of making virtual desktop security simpler and more scalable for large enterprise deployments. McAfee said it was developing a platform and API to provide a framework that would accelerate and address the specific needs of security for virtualised environments. The new platform would allow McAfee to do what it does best: secure customers, keep their data safe, and maximise application performance for virtualised environments.
According to McAfee, security within the virtual machine or guest remains inefficient and resource-intensive, which limits the total number of virtual machines that can be deployed on a single host. This, in turn, challenges the long-term operational expected savings that organizations have hoped to achieve with virtualisation.
While the need for security in a virtual environment is no different than the need in a physical world, the challenge is much different. Trying to place security software on dozens of virtual machines, each of which sits on the same physical server, can lead to unacceptable application performance problems. Giving customers a way to unify security management across physical and virtual infrastructures has been a major driver in McAfee's ongoing strategy.
Candace Worely, GM and SVP of endpoint security at McAfee, said the feedback the company has received from customers primarily in the virtualised world is centred around performance, virtual machine density, and having a single console to manage policies between the physical world and the virtual. Also, performance needs to be achieved without sacrificing security.
"Today, our customers find it difficult to deploy traditional security solutions on their virtual infrastructure, as it directly effects the end-user experience of either the desktop or the server," said Worely. "They face AV storming and cannot schedule security tasks without taking load on the hypervisor into consideration."
Worely went on to say, "As part of the collaboration, McAfee and Citrix plan to jointly develop solutions that will enable enterprises to provide enterprise-class security optimized for XenDesktop. With the growing expansion of VDI deployments, this partnership ensures that the move to virtual systems by CIOs will be secured and not be at risk because they lack effective virtual machine security. In addition, this partnership will also address hypervisor-level security technology for XenClient and XenServer. McAfee's and Citrix Systems' strategic partnership will focus at first on the most urgently needed security aspect, which is protecting the data of the enterprise from malware, viruses, worms, and Trojans, and then progress with additional compliance and management solutions that will need to be optimised and adaptive for the various types of virtual machine configurations, providing security without sacrificing efficiency."
McAfee and Citrix will work together to develop hypervisor-native detection capabilities into Citrix XenClient and Citrix XenServer. McAfee, in turn, will offer its Management of Optimized Virtual Environments (MOVE) platform, an open platform that provides security to virtualized environments. McAfee's MOVE platform will take advantage of these enhanced hypervisor-native capabilities, making it easier to provide security by performing runtime checks on the integrity of each virtual machine.
At the same time, McAfee is also working on its ePolicy Orchestrator platform, which will provide the user interface needed to configure and manage products developed on the MOVE platform. The collaboration will enable the Xen ecosystem, including Xen-based clouds, to offer endpoint security services as a native property of the virtual infrastructure.
The MOVE platform is expected to increase the security options for those investing in virtualisation for the data centre, applications, or desktops. McAfee believes this new platform will accelerate delivery of security solutions by filling the holes that aren't being addressed today. For McAfee and partners, MOVE will ensure that the solutions are optimised for performance within virtual deployments, that the programming interface is sound and secure by being thoroughly tested and verified, and that the platform allows a common path to develop to all of the major virtualisation vendors.
Thinking about all of this, one question pops into my head: When it gets right down to it, how does this announcement address virtualisation security challenges differently than VMware's VMsafe announcement made back in February 2008 during VMworld Europe? Wasn't VMware exposing an API to third-party companies to provide for security? And wasn't McAfee signed up as a VMsafe partner?
McAfee's Worely said that unlike the VMware VMsafe solution, the Citrix/McAfee platform will be open and hypervisor-agnostic. She said the platform is being designed to secure XenDesktop deployments on the three leading hypervisors: Citrix XenServer , Microsoft Hyper-V, and VMware ESX. McAfee is doing this in part because their customers have told them they plan to have heterogeneous environments when it comes to hypervisors, and they would like McAfee to offer the same solution that works in a mixed environment. VMsafe, on the other hand, works with VMware ESX or vSphere environments only.
Simon Crosby, CTO of the Data Centre and Cloud Division at Citrix, said that VMware's VMsafe 1.0 initiative has yet to deliver any substantially new solutions in the area of security. VMsafe 1.0 offers APIs that allow "helper" virtual appliances to gain access to network packets traversing the virtual switch, block I/O traffic to/from storage, and guest virtual machine memory. But Crosby doesn't believe that VMsafe or any other initiative currently out there addresses the key challenges in virtualised security, which are the following:
- An optimised virtual infrastructure security service that is hypervisor-independent
- A hypervisor-native detection service that enables a quantum leap forward in secure virtualization, expressed via an open API to third-party detection and remediation tools such as McAfee's
Instead, Crosby said, "The technology we are pursuing is entirely different from, and vastly superior to, the memory inspection APIs that VMsafe offers today. Poking about in memory in the hope of finding an attacker is a bit like looking for the proverbial needle in a haystack, but with the additional complication that the needle can be split into many parts and can disguise itself as a piece of straw. Our technology offers a much richer interface and a positive attestation as to the state of the guest. This is critically important at a time when rapidly self-modifying attacks are making the job of attack detection increasingly difficult."
On the other hand, Dave Bartoletti, a senior analyst at The Taneja Group, told InfoWorld that he is hearing quite a bit about VMsafe from the security vendors that he speaks with on a regular basis.
"It's just taken some time to leverage VMsafe's introspection within existing products (many of which have been around for a long time)," said Bartoletti in an email exchange.
Looking ahead, Bartoletti added, "Several players are planning more detailed announcements in the next few months. I think it hasn't been obvious exactly how to integrate VMsafe's visibility into these existing products; the entire subject of virtualization security is still a fraught one. It's a push-pull problem ... do we proactively push it as very important, or let our customers tell us when it's important to them?"
When asked about the Citrix/McAfee announcement, Bartoletti said he believed it's just a validation that something better was needed. He stated, "Citrix calls out weaknesses of VMsafe at the endpoints (of course), and claims that VMware muddies the waters by providing a security API as well as security products (vShield Zones). OK. So, in response, Citrix will provide an API and their partner McAfee will provide products. But the Citrix/McAfee solution will be open, standards-based, hypervisor-agnostic, etc. -- all the dog-whistle words that mean, 'not VMware.'"
He then tried to shine a light on things by saying this latest announcement is more of the same types of tactics as was used to differentiate StorageLink APIs from vStorage APIs, but said it certainly is not without merit.
"You either need a hypervisor-agnostic solution (and buy the claim of openness), or you don't, but the market should offer both," said Bartoletti. "The cloud service providers are probably the most receptive audience to this message. Further, Citrix claims they are approaching security with technologies far better than VMware's - well, bold claims demand dramatic results, so I'm eager to see them. We've got to do a better job of securing virtual resources as we come to depend on them everywhere, so this kind of competition can only bring goodness."
Whether you buy into VMware's solution or the joint solution between Citrix and McAfee, one thing is certain: We need a better way to provide security at the virtualised endpoints besides installing the same old antivirus software within the virtual machine or guest operating system.