Hypervisors that virtualise the compute, networking and storage tiers provide a unique platform for enforcing security policies, VMware executives argued this week at Interop in Las Vegas.
VMware's CTO of networking and security, Martin Casado said there's a fundamental problem in security right now. There are two basic approaches to protecting data today: Controls at the end point of devices, or policies in the infrastructure. Casado says there's an opportunity to create a new security layer that runs through the hypervisor, which sits between those two layers and combines the context of end-user devices with the policy-enforcement capabilities of the underlying hardware.
Casado, along with VMware CEO Pat Gelsinger, presented the idea at Thursday morning's keynote address. The key to enabling this hypervisor-powered security model is to transform the data centre into a software-defined and controlled one, they argued. By virtualising the compute, networking and storage layers using hypervisors, new security policies can be implanted into the hypervisor to protect against the increased challenges and threats in the security landscape.
If implemented, this plan seems to serve VMware's interests. The company is the market-leader for virtualisation with its ESX hypervisor being the leading software for creating virtual machines in the data centre today. During the past two years since Gelsinger took over for former VMware CEO Paul Maritz (who now heads up the spin-out company Pivotal), Gelsinger and VMware have been praising the value of virtualising the rest of the data centre beyond the compute layer. Virtualising the networking, storage and management layers can create the same efficiencies as virtualising compute, Gelsinger has argued. Gelsinger said this "tectonic shift" in the IT landscape from a hardware, client-server focused world to a mobile/cloud, software-defined world is the biggest transformation in IT from the past 30 years.
On Thursday though, VMware made a new argument as to why virtualising the data centre across compute, networking and storage is critical, and it focuses on security. "Security in this era of cloud and software defined data centre is very challenging," Gelsinger said, adding that spending by enterprises on security is increasing, but security breaches and threats are growing even faster. Enterprises are "spending more and falling further behind," he said.
Casado said there is an architectural flaw in how security is currently commonly enforced. Having security controls at the end point, such as on employee devices is like putting the on/off switch for a security alarm on the front of a house. If security controls are enforced at the infrastructure layer then they lack the context of the applications running on the hardware in order to secure it properly, he argues.
That creates what Casado termed the "Goldilocks Zone" for security. In the 1970s, he said, that the term "Goldilocks Zone" was used by astro-scientists to describe the optimal area between the sun and the outer planets to support life. Similarly, the hypervisor, which sits between the applications and the infrastructure, is the prime "Goldilocks Zone" for security.
"We think the hypervisor has the greatest visibility but is also far enough away from the infrastructure," to be the ideal security layer, Casado said. Hypervisors, whether they are in the compute, networking or storage layers, can be aware of the applications that sit above them, while being able to enforce policies, such as creating virtual secure networks, on the infrastructure that sit below it. Hypervisors are in "a good position to provide context and isolation," Casado said.
The VMware executives were scant on the details of how this would all actually work. The keynote address was more of a new argument from VMware as to how virtualising the data centre can be a security benefit, in addition to creating cost and agility efficiencies. But, the company did not discuss how this idea would actually be implemented in its products. Casado and Gelsinger did say VMware will develop this strategy as well as work with partners to provide security-enforcement policies that can run through the hypervisor.