Virtualisation success requires security preparation

A database vendor that is building virtualisation into its product line says consolidating IT assets can pay dividends, but securing virtualised environments is a complicated new challenge.

Believe me, in the cloud computing world, security is going to be a bigger pain, not a smaller one.
Steve Moyle
CTO, Secerno Ltd.
Virtualisation is firmly back in fashion, driven by soaring energy prices and data centres bursting at the seams.

Not long ago, it seemed much simpler to assign a new server (or appliance) to every new application, but the cost of running so many half-empty boxes has finally hit home.

The meteoric rise of companies, such as VMware Inc., is testament to the sudden appetite among organisations to consolidate and integrate IT assets, or relocate processing and storage out 'in the cloud' where better economies of scale can often be achieved.

But what about security?

One man who has given virtualisation a good deal of thought is Steve Moyle, CTO at Oxford-based Secerno Ltd., which specialises in database security.

"We are moving to cloud computing and are going to find ourselves with this ephemeral computing resource that is provisioned on demand and in real time," Moyle said. "Believe me, in the cloud computing world, security is going to be a bigger pain, not a smaller one. You need to start provisioning your security technologies in advance of actually porting a database, for example."

Secerno's answer, which will be officially launched next month, is to build a VMware-based version of its own database security product, which up to now has been delivered only on a dedicated appliance.

While this will serve an immediate need to reduce the number of boxes at customer sites, Moyle said a virtualised product can provide the foundation for security in the complex world of cloud computing.

"Customers have been saying that although they like appliances in principle, their racks are beginning to fill up, and they want to drive that down," Moyle said. "Virtualisation is perfect for that, but it is just one step in a much longer journey where you get to a really tightly secured infrastructure, but which is still very dynamic with applications being turned on and off as required."

The Secerno product works by monitoring all requests to the database; In learning mode, it can automatically build a policy and profile of what is, and is not, legitimate traffic.

In Moyle's vision, a profile will be automatically created for every database out in the cloud, and it will be possible to dynamically deploy a copy of that profile in a virtualised instance of the Secerno code, along with the database to be queried.

"We check every interaction with the database to make sure it fits the policy that we have built up automatically for that particular database. Each and every protection profile is unique to each database," he said.

A new approach is needed because the technique of network segregation that has served us so well for the last few years breaks down in the world of cloud computing, Moyle said.

"In the cloud computing space, you can end up with thousands of machines being able to be turned into different computing services," he said, "but to get the most out of them, they need to talk to one another."

"To exploit the flexibility of provision of service, you need to go back to the equivalent of a flat-network topology. So now we need a different way of separating out the traffic between hosts. Every new VM you create no longer has a fixed IP address; it's bouncing all over the place. So being able to put in segregation technologies on a network level is challenging."

Moyle said that Secerno's focus on the actual traffic going into the database enables policies to be applied without restricting the flexibility of the cloud computing model.

"It means we can start to use logical segmentation about the conversations that components are allowed to have with one another. So instead of having segregation of networks, you have segregation of conversations instead."

For the moment, however, Moyle concedes these are long-term needs and that the virtualised version of his product will initially be used to help users free up rack space.

He forecasts that cloud computing will produce a lot of new challenges for security professionals. "Security technologies will have to find new ways to deliver their benefits in this new mobile cloud computing space," he said. "As businesses drive IT forward, they often leap into a security void, and we security professionals need to jump in fast and close the gap."

Read more on Identity and access management products

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.