SAN FRANCISCO -- Should the code running a virtual machine be as robust as a desktop operating system or thin and transparent? That question was debated Thursday at the 2009 RSA Conference.
Simon Crosby, chief technology officer of Citrix Systems Inc., has been an ardent supporter of a lightweight hypervisor. Crosby said fewer lines of code translates into fewer opportunities for an attacker to exploit vulnerabilities.
"It's not about VMs, it's about applications and how they're comprised," Crosby said. "We need a whole bunch of [security] around an app, not a VM."
Meanwhile, network security expert and cloud computing blogger Chris Hoff, who serves as technical director of the Cloud Security Alliance, and Stephen Herrod, chief technology officer of VMware Inc., defended a more robust hypervisor, capable of detecting and defending itself from an attack with the use of third-party security products.
"When you actually deploy VMs today, you need tools for doing it right," Herrod said. "We have a unique opportunity to change the way we're doing security."
VMware announced Thursday that it would embed RSA's data loss prevention (DLP) technology into vSphere, the latest version of its virtualization platform. The plan also calls for integrating RSA's encryption technology into the platform. Also this week VMware launched its API program, VMsafe, inviting other vendors to produce security tools that can access the hypervisor to better secure the virtual environment.
"From a security perspective, it makes me nervous to think about running third-party code in somebody's hypervisor," Hoff said. "But I see VMsafe as being a long-term set of opportunities for customers to balance the trade-offs inherent in this emerging technology… what we have on the other side are community efforts that aren't as robust today."
Crosby said Citrix users get the biggest benefit out of the fact that the source code in its XenServer server virtualization software is open and available for inspection. He said that VMware's proprietary software isn't as battle-tested since it hasn't been vetted by a large open source community.
"The Xen hypervisor runs in the world's biggest cloud and it has been attacked with everything you can think of," Crosby said. "It's a good way to learn what you can do in an open way and incorporate that into a more secure client for the industry." Hoff warned that companies need to plan for rapid changes to virtualization technology or risk being blindsided by the advancements. He urged attendees to use configuration guidelines outlined by the vendors and said industry groups, such as the Cloud Security Alliance and others, will offer helpful guidance on control processes, visibility and management issues.
Crosby agreed, saying the software virtual switch will likely become a hardware function in the next 18 months. He said companies using virtual servers should engage their vendors and make sure they are heading down the right path. Ultimately the debate over which vendor has the right virtualization security strategy could be driven by industry groups and the vendor with the most market presence, said panel moderator Andreas Antonopoulos, senior vice president and founding partner with Mokena, Ill.-based Nemertes Research.
"The industry is not settled," Antonopoulos said. "There's plenty of innovation happening and we're going to have to have this discussion again a year from now."