Virtualisation requires new security models: Quane

Traditional security models are slowing down virtualised environments and creating an untenable management burden as aggressive cloud-computing adopters skimp on security to ensure they don’t become victims of their own virtualisation success, a security executive has warned.

Speaking to attendees at the Evolve.Cloud cloud-security conference in Melbourne, Steve Quane, chief product officer and executive vice president with security vendor Trend Micro, said many companies had rushed into server and desktop virtualisation with the best of intentions – but quickly found themselves in trouble as conventional scanning-based security architectures created competition for finite server resources.

In the absence of an architecture that can accommodate the architectural differences of a virtual environment – namely, that large numbers of virtual machines will initiate CPU and hard disk-draining security scans without regard for other VMs simultaneously doing the same – the result is often severely compromised performance that negates the business value of the virtual infrastructure.

“They’re all reaching into the same infrastructure that is now shared,” Quane explained, “as if it was their own in the old physical world. We’ve seen that very quickly, traditional security architectures started bringing virtual security architectures to a halt. All the benefits of increased density, increased performance, and lower capex and opex, started disappearing when customers deployed security.”

In an organisation that may have just spent millions on a server virtualisation project, Quane warned, poor performance can put IT executives in a difficult situation; many simply disable security altogether and hope for the best.

Performance isn't the only problem: keeping security consistent in such virtual environments has proved problematic, with many companies having to take on more technical staff just to keep up with the management of hundreds or thousands of virtual machines. “They’re boosting head count to deal with things as simple as vulnerability patching,” Quane said. “Watching the evolution of the physical to virtual transition, we see this problem getting worse and worse.”

Granular security

Although tools for managing virtual environments are steadily maturing to help overcome some of these issues, the complexity of managing security in virtual – and increasingly mobile – environments is leading many vendors and customers to consider a different security approach altogether.

Rather than relying on broad security architectures to protect all manner of different devices stored in internal and external clouds, Quane foresees a growing shift towards data encryption and the use of virtualisation to sequester business-sensitive workloads. For example, a financial-services organisation might use encrypted virtual servers to cordon off systems related to its PCI DSS compliance, which is necessary for any company handling sensitive financial information such as credit card details.

While encrypting virtual machines will provide some measure of protection, however, other organisations are adapting to the virtual and increasingly mobile environment by moving their focus towards encrypting the data itself – using one or many encryption keys that are stored separately to the data.

This approach would overcome issues with data privacy, particularly given ongoing concerns that public clouds are inherently problematic places to store sensitive information. By encrypting the data and storing the encryption keys out of the cloud, companies can retain control over their information no matter what architecture they adopt – or where the encrypted data ends up.

"Encryption has been around forever, but the ability to deploy it in a virtualised environment offers new possibilities for companies," Quane said. "Not only can companies keep departments like HR, finance, and engineering separate – but they can ensure compliance for specific applications in a private cloud infrastructure."

"When you move to that modular architecture, the true benefit of this approach is the flexibility to use whatever computing infrastructure you want, with the same security posture. It enables you to not only get the business benefits of virtualisation and the cloud, but provides the ability to securely move in and out of the cloud depending on your business needs. We've already seen hundreds of customers move to this architecture and get those benefits."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about EvolveTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts