3 VMware Security Myths about Migration to the Cloud

Availability, reliability and security are the top three concerns for business information systems managers.

However, these terms keep changing in meaning to reflect the underlying changes in technology. For instance, on migration to the cloud from self-hosted systems, the very definition of security is altered.

For business critical systems, availability changes from your staff’s access to data to the provision of data on mobile apps as you improve your focus on customer service. In such an environment, scalable, platform-independent architectures will help you stay productive while managing costs.

The flexibility, scalability and cost-effectiveness offered by cloud-based virtual environments are attractive. However, security concerns can dampen enthusiasm for adoption. But are the concerns justified? And if they are justifiable, can the risks be managed?

Security concerns on virtualized workloads

Security is essential in any business environment, and doubly so for business-critical information systems. As such, it is reasonable to expect virtualization systems providers to factor security. Such expectations are fully justifiable and satisfied to different extents in various virtualization technologies.

Traditionally, physical servers hosted on premises and using fixed physical infrastructure, those charged with IT systems management, have detailed information on the traffic and usage of various resources. But in virtualized environments, the same abstraction that makes such environments flexible and scalable reduces control over traffic flowing into and amongst virtual machines on the same physical architecture. The reduction of oversight and control is directly related to the virtualization approach chosen.

Security concerns and virtualization approaches

Your driving habits are inextricably linked with the likelihood of you having an accident. Similarly, the approach used to implement virtualization has implications on the overall security of your installation.

Operating System based virtualization

In this case, virtualization is implemented on a host operating system (OS) that allows for multiple virtualized guest operating systems. This allows one physical server to function as multiple virtual servers. The beauty of this approach is the simplicity. However, therein lays the rub. The virtual machines are easily compromised if the host OS is compromised.

Application-based virtualization

There is no major difference between application-based and OS-based virtualization. Both are based on having a host OS. As such, they share the same security issues.

Hypervisor-based virtualization

VMware is a prime example of hypervisor-based virtualization software. It is also called bare-metal virtualization since hypervisor runs directly on hardware abstracting hardware details from installing VMs. In terms of security, it the closest one can get to ideal security on virtual machines. This does not imply that there are no security concerns.

At boot time, the hypervisor runs first, directly off the hardware, and starts various VMs. Some of the VMs started run on privileged partitions that make them able to control aspects of other VMs on the same physical server. Tricky? Not really. What this means is that VMware supports several layers of virtualization.

For instance, you can have storage virtualization on top of the hypervisor as a privileged layer. In such a setup, you’ll then run the operating systems that use the virtualized storage as an additional layer of abstraction.

This architecture establishes the most controllable and secure virtualization environment. It allows for the use of security tools such as intrusion detections systems and advanced system audit tools. It suffers the same weaknesses as OS-based virtualizations. However, an intruder has the extremely hard but not impossible task of taking control of a hypervisor from machine level.

But even if security is implemented at the hypervisor level, insecure applications can leak data and code, compromising the running systems. In response, VMware security has been hardened to cope with this threat. Instead of the usual defensive approach that relies on system admins to detect threats, VMware introduced novel AppDefense.

It works by monitoring changes on applications that indicate threats. When such threats are detected, AppDefense responds automatically. It stops the app or sandboxes it then alerts the system admin. AppDefense alerts are only raised when an actual threat has been detected. This nextgen VMware security allows the admins managing the system to stay productive by focusing on actual threats instead of routine system monitoring.

VMware takes security so seriously that they didn’t stop at AppDefense. The latest version of VMware has another groundbreaking security innovation. VMware NSX is the first system to provide economically feasible micro-segmentation for software-defined data centers. This new approach allows segmentation, isolation and advanced services. For the first time, virtualized environments can control security down to virtual NIC levels ensuring fine-tuned, granular access control and monitoring.

VMware security myths

Lack of an in-depth understanding of the technical details on virtualization is the main reason virtualization security myths have lasted. As I have been at pains to show in the preceding section, the very architecture chosen for virtualization implementation determines the security of the system. The most secure approach being hypervisor-based. But how do you stay productive and improve your focus on system availability in a virtualized environment?

Myth 1: The cloud cannot be adequately secured

We have comprehensively addressed this in the preceding sections, specifically when addressing the various architectural approaches to virtualization. Some of you have not yet migrated to the cloud because you have security concerns about migration to the cloud. If you’re one, you should know that the virtualization architecture has profound implications.

On the other hand, not even your current system is totally secure. Information systems security is a trade-off between usability, cost and availability. The cost of security should not exceed the cost of the information being secured. As such, not migrating to the cloud due to security concerns is a cost that you should factor in. Furthermore, it’s a myth that the hybrid cloud is a compelling counterpoint to the cloud. It hits the sweet spot between the convenience of the cloud and security of on-premise data centers.

Myth 2: Cloud security is a new issue

Physical, virtual, or cloud, no matter what your system architecture is, you cannot wish away security. Ever heard the saying there is nothing new under the sun? It aptly applies to information systems security since the protection of your enterprise infrastructure and data has always been a priority. When you migrate to the cloud, you just need to invest in cloud security systems and update your governance structures to reflect the same.

Myth 3: Security is equivalent to compliance

This is another completely unfounded and widely spread myth. It is not confined to security. Even so, enterprises tend to behave as if certification is an end on it own and not a means to an end. Certification is more about meeting standards and less about achievements. In fact, where security is concerned, it can be taken as a snapshot of security at the moment of certification. As such, it became outdated around the same time it was issued. You need to think about security in the same terms as user support: a task that is never done.

Conclusion

It is essential for enterprises wishing to improve their focus on service delivery in a digital, on-the-go world to migrate to the cloud. However, adoption is inhibited by security concerns, some of which are valid considering the shared physical infrastructure that powers public clouds. However, there are reasonable precautions and moves that if taken, can ensure your cloud-based systems and data equally if not more secure than their on-premise equivalents.