Mental Ward

Blog archive

VMsafe Moves Security to Center Stage

So, do you feel VMsafer now? VMware announced last week its latest security product, called VMsafe. VMsafe works at the hypervisor level, providing APIs for third-party developers that allow them to access VMs in a way not possible before.

VMware describes its functionality well on a product page: "VMsafe enables third-party security products to gain the same visibility as the hypervisor into the operation of a virtual machine to identify and eliminate malware, such as viruses, trojans and key-loggers." This, of course, is a very, very good thing.

A strong list of security companies and other vendors have already signed up for the program, including Shavlik, Kaspersky, IBM, Catbird, McAfee, F5, Symantec and more. They'll quickly integrate VMsafe in their products, giving virtualization admins a lot more peace of mind. VMware itself has promised to bake VMsafe into future versions of VMware Infrastructure.

This Network World story on VMsafe brings up a good point about malware vs. security software in a virtualized environment:

"Previously, security software really had no advantage over malware that's infiltrated a virtualized server, says Parag Patel, vice president of alliances at VMware. The visibility into the hypervisor afforded by the VMsafe APIs gives security software a higher degree of privilege than malware."

Initially, VMware has said VMsafe will work with ESX Server, its flagship hypervisor. I haven't been able to determine if it will work with ESX 3i, the embedded hypervisor going out with certain servers from IBM, Dell, HP, Fujistu and others, as announced last week. I've got a query into VMware now; I'll update this when I get a response.

This vendor partnering should mean quick adoption of VMsafe; it's also a subtle reminder that virtualization isn't a bulletproof technology. Certainly, there are a number of inherent security benefits of virtualization: for instance, keeping applications in a bubble, through application virtualization, means any viruses in the programs won't spread from server to server; it also keeps them from interfering with each other and causing system instability. In addition, using a Web browser in a VM means security from Internet malware. There are many more, too.

But virtualization also introduces new issues. With the ease of creating and updating new servers comes the danger that a virus that slips in through a patch, for example, will infect 5,000 virtual servers, instead of just 200 physical servers. It's also my anecdotal experience that admins don't spend much time on virtualization security. Having these third-party products include VMsafe means that shops which use them -- which is most, since almost every datacenter has a third-party security product or suite -- will now get a version of that product that includes VM security (at least those that use VMware.)

This is a very positive, very needed step by VMware. As of yet, no dates have been released as to when VMsafe will be available. We'll be doing our part in the fight for better virtualization security, too, including lots of security coverage in the upcoming magazine and here on the Website.

Posted by Keith Ward on 03/03/2008 at 12:48 PM


Subscribe on YouTube