Cloud Computing and Virtual Security Barriers

Many of my recent blogs at Archimedius have talked about cloud computing from a macro economic perspective. They have included anecdotes about small towns mixed in with lessons from world economic history.  Now let’s talk about why every company with an IT operations department still hasn't flown into the clouds to save money and enhance agility. 

A farm made up of racks and stacks of hypervisors is incredibly cost efficient, and can allow servers to be brought up and down on short notice in order to scale to meet user demand.  That kind of flexibility is a powerful IT operations enabler, especially for businesses with significant user load spikes. 

Without virtualization (or cloud computing) organizations have to overprovision servers to support peak; they even keep unused servers running simply to ensure system availability for potential peak usage.  That consumes plenty of extra electricity, causing crowding and data center expansion for many enterprises, and has increased real estate expenses.

If server farms around the world were interconnected in a massive cloud, servers could chase cheap power and only consume electricity when needed.  That would be a massive boost in server efficiency and reduction in energy consumption, as articulated in Follow the Moon (or whatever).

Yet despite the opportunities to go cloud there are still technical hurdles - of which is virtualization security. Sharing processing power among many organizations, applications, etc would require a new level of security enforcement well beyond the systems in use today to protect physical servers.  Most of these were created to protect known, static servers and were deployed at an outer perimeter.  Very few are capable of looking at traffic inside a hypervisor and protecting virtual servers [VMs] from each other.  Many use older deep packet inspection engines to scan traffic for growing lists of attack signatures, which is very compute intensive, which means sizable hypervisor resources being tied up in security tasks.

Because these solutions are compute, intensive enterprises would have to create elaborate hairpins between hypervisors, agents and multiple hardware security appliances in order to properly protect the hypervisor layer.

As a result, most enterprises that have virtualized portions of their production data centers have implemented what I’ve called virtualization-lite.  There is very little flexibility and cost savings with virtualization-lite relative to virtualization and cloud computing, but it’s the most common response to the protection of VMs by older network security equipment.   

Virtualization security is therefore one of the factors restricting the benefits of data center virtualization, and would be an even a larger impediment to cloud computing; the benefits of clouds depend on higher levels of flexibility and server motion.

The established network security and virtualization players need to tackle this issue in order to drive the wider adoption of virtualization and cloud computing.  They need to deliver deeper, more robust hypervisor inspection, and traffic management capabilities, without having to resort to hypervisor hogging and movement restrictions driven by multiple, specialized security agents or elaborate appliance hairpins.

There is no doubt that the major players will eventually deliver on their promise of a virtsec solution that is both elegant and comprehensive.  Technologies have now come to market that address the unique requirements of VM security and hypervisor layer enforcement.  The key is their rate of adoption into mainstream virtualization projects.  According to security expert, Mike Rothman that adoption will take years.  Yet the virtualization, security and cloud computing players could reap massive gains because of cloud computing.  They could establish leadership and considerable revenue momentum as the world’s data centers are re-architected.

Yet the market will have to walk before servers can fly.

Disclosure: None