By Mark Bermingham
Organizations are often in a hurry to embrace the business benefits of virtualization, including:
- Energy and IT cost savings
- Improved server provisioning
- Simplified application deployment
- Improved disaster recovery
- Decreased hardware costs
- Minimized space requirements
- Increased reliability
- Centralized managementand monitory tools
- Rapid launch of new services
- An easily-scalable IT infrastructure
Unfortunately, as the prevalence of virtualization grows, cybercriminals are increasingly looking at virtual environments as a ripe frontier for launching attacks. While today’s organizations recognize the importance of securing their virtual environment, many IT professionals don’t know that specialized security solutions have been designed to deliver both security and efficiency for virtual environments.
This sentiment was echoed in a recent Kaspersky Lab survey of nearly 4,500 worldwide IT professionals that found that 64% agreed that security should be a primary consideration when rolling out virtual infrastructure. The survey also found that around one out of every four enterprises said that securing virtualization infrastructure is one of their most important security priorities for the next 12 months. However, while many companies are focusing on virtualization security initiatives, it is concerning to find that one out of every four IT security experts have little to no understanding of their virtualization security options.
For virtualization security, there is no ‘one size fits all’ solution – and trying to fit your organization’s needs and unique architecture into a solution that isn’t purpose-built for virtualization may not be the most effective security solution. It’s critical to understand that multiple options exist and organizations need to perform some due diligence to evaluate them.
This article describes the different virtualization security solution options—conventional agent-based, agentless and light agent—as well as possible scenarios for aligning the right security approach to your organization’s virtual environment.
Going Traditional with Agent-Based Security
The traditional approach to virtual infrastructure security differs little from the methods used to protect physical environments. After all, the procurement, licenses, training and other expertise for conventional security solutions are already in place. And the majority of leading security solutions offer some level of virtualization security through capabilities such as database updates and security scan randomization that are specifically designed with virtual systems efficiency in mind.
While these ‘virtualization aware’ technologies promise efficient resource consumption, the reality is often far different. To do their job, agent-based security solutions need the latest updates. They also need to inspect large archives and other files to make sure they’re clean. And to do this, they have to unpack bulky files into memory. None of this is a problem for a physical machine, but once you jump into a virtualized environment where you have 50, 100 or 150+ virtual machines (VMs) sitting on the same server, and all of them are looking for the additional resources at the same time, the entire virtual environment can come to a grinding halt.
The ever-growing number of threats doesn’t help either. Known threats are identified via ‘signatures’ stored in a security solution database the same way police forces store criminal records. With the exponential growth of malware, database sizes have also expanded. Again, this is typically not an issue for physical machines, but for VMs sharing the same storage, the total space occupied by definition databases stored redundantly on each and every VM becomes a significant resource burden as environments begin to scale.
If scaled for virtual environments, the traditional agent-based approach to security introduces inefficiencies and problems that impact storage, RAM IOPS and CPU cycles. This leads to undesirable effects that run counter to the efficiency objectives of virtual environments, including poor performance, increased latency, VM unresponsiveness and increased hardware costs.
The Agentless Approach: Addressing VM Efficiency
When VMWare recognized the shortcomings of a traditional agent-based approach, they introduced an intelligent API-based architecture. This architecture leverages a security check relay mechanism, allowing the burden of agent storage and file scanning tasks to be off-loaded from the VM to a dedicated “Virtual Appliance” (VA) deployed at the physical host level. A thin agent/driver interacts with this VA to render file verdicts. In VMware, this mechanism is called vShield. Using this architecture, new or long dormant VMs are instantly protected by the latest signature database on the VA. The need to deploy an agent on every VM is eliminated, as only a single copy of the definition database per host is required. The VA is continuously active and updating, delivering instant, efficient protection to every VM on the host and promoting VM density.
There are downsides to this approach, however, including the fact that the technology is only available for VMWare environments. It’s also limited to file scanning tasks and does not support user interaction or operation at the OS level. This can lead to end-user frustration when, for example, vShield blocks an application without explanation/notification.
Because it’s unable to support the latest security technologies, such as anti-exploit techniques, system watchers, application, device and web controls, vShield-enabled solutions have the additional drawback of requiring a trade-off between security, ease of deployment and VM density.
Light Agent Security: The Best of Both Worlds?
Agentless security solutions work well in tightly controlled data center environments where servers are performing work that doesn’t require a constant connection to the internet, reducing the attack surface. Virtual desktop infrastructures (VDI), on the other hand, have a higher risk profile and require more advanced levels of security. This has led to the development of another class of virtualization security solutions: Light Agents. VDI environments require the most advanced security that vendors can provide. Light agent technology combines the strengths of conventional, agent-based solutions and their vShield-enabled alternative. Efficient resource use is enabled through the offloading of heavy signature databases, signature scanning and heuristic scanning tasks to a Virtual Security Appliance (VSA), while every VM runs a little piece of software (or light agent) that enables both user notification and the use of advanced security technologies and controls.
Light agent solutions are marginally more complex and resource-heavy than their agentless counterparts, but deployment is easily automated. More importantly, light agent technology is not vShield dependent. It is completely vendor agnostic and can be used in mixed virtual environments.
While Kaspersky Lab’s recent survey found that IT security professionals may not have a clear understanding about the different virtualization security approaches that are available – only one out of every three IT security experts have a clear understanding of light agent and agent-based virtualization solutions, and only one out of every four understands agent-less virtualization security – organizations are going to take the necessary steps to implement security in their virtual environments over the next year. As a result, knowing what the options are and identifying the right security approach is a critical first step to securing an organization’s virtual environment.