Virtually no security standards
XenSource, whose founders are ardent backers of the open source Xen framework for virtualization, says security is a work in progress.
But Simon Crosby, CTO at XenSource, indicated that the industry's open source backers -- as well as some big players such as the National Security Agency -- are looking at several ideas.
Much attention now centres around what's called Secure Hypervisor (or sHype), which was developed by IBM Research and is being tested in IBM's Systems and Technology Group.
IBM contributed Secure Hypervisor to the Xen project for security, such as mandatory access control, Crosby says.
Secure Hypervisor as applied to the open source Xen hypervisor would provide a standard architecture for management and distributed auditing. It would also provide an engine to enforce mandatory policies such as Multi-Level Security Access Control and Type Enforcement. It's being proposed as an extension to Trusted Computing Group standards.
IBM's director of virtualization strategy and planning, Pete McCaffrey, says that while IBM backs open source Xen, its business strategy entails supporting virtualization choice, whether it be VMware, XenSource or Microsoft.
"Our middleware, WebSphere, runs in these environments," he says.
The range of virtualization platforms and lack of standards means security functions are going to be conceptually different across vendor boundaries, McCaffrey says.
Sun, which is building the Xen open source hypervisor into the latest version of the Solaris operating system, plans to release this Xen-powered version of Solaris as its virtualization entry sometime later this year.
"It allows us to offer our customers software to run multiple operating systems on the same set of hardware," says Joost Pronk van Hoogeveen, Sun's technical line manager for Solaris virtualization. In its virtualized form, Solaris could play the role of the host operating system "brain" or just be another "guest OS," he says.
Sun Solaris Trusted Extensions, which provides mandatory access controls and software compartmentalization, has already been certified under the Common Criteria program, an internationally recognized product evaluation and testing regime often favored by government customers.
"One reason we feel we should be doing this is the security software vendors already know how to work with Solaris," says van Hoogeveen.
VMware, which says it has 20,000 corporate customers today using its server virtualization software, says the security advantages that virtualization offers, particularly in flexibility associated with backup and disaster recovery, shouldn't be overlooked.
"In ease of management, provisioning is cut down from days and weeks to minutes," says Patrick Lin, VMware's director of product management and data centre platform products. "A physical machine looks like a file and we allow you to create virtual machines from a template within minutes."