Godfather of Xen: Virtualization holds a key to public-cloud security

  • Tim Greene (Network World)
  • 04 November, 2011 06:27

While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security.

Isolation -- the ability to restrict what computing goes on in a given context -- is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, says Crosby, a creator of the open source hypervisor and a founder of startup Bromium, which is looking to use Xen features to boost security.

MORE ON SECURITY: The Security Industry All-Stars

If the virtual machine manager (hypervisor) can help isolate functions carried out on a system and thereby reduce the risk that an attack successful against one function can spread, that improves the trustworthiness of those other processes, Crosby says in an interview with Network World.

"I think that when we look back in five years we will actually figure out that the core value of hardware virtualization is security," Crosby says. "Actually it's better trust or better isolation, and not all of the grandiose cases we've come up with for virtualization today. So that even in the cloud the primary use case for virtualization will, in five years or so, be security and security through isolation."

Crosby was reluctant to detail how such a system would work because it is at the core of what Bromium is working on, and it doesn't plan to reveal that until next year. But earlier this year at the Xen Developers Conference, Bromium co-founder and chairman of Ian Pratt offered some insight.

Introspection, a feature of Xen that enables virtual machines to be inspected by another trusted VM, could help discover compromises within VMs, he says. Xen can isolate driver domains, which enhances security, Pratt says.

Crosby says this isolation is similar to what XenClient does today, enabling for instance a corporate desktop and a personal desktop on the same machine, keeping their activities securely separate. A person's possibly risky personal behavior with the machine won't compromise the corporate functions.

"The key point I'm trying to make is that virtualization technology in general through isolation provides you a different context in which to execute code of different trust levels," he says.

Isolating processes more finely can boost security in public cloud environments, he says. "I think one will be to create a highly secure cloud system which can be used to deliver multilevel secure systems," he says.

As an example he points to Intel and McAfee's DeepSAFE technology, software that sits between the CPU and the operating system on a device, much the way a bare-metal (Type 1) hypervisor does. Its direct link to the hardware gives it a trusted position and a view into events on the machine beyond what the operating system sees, according to McAfee.

"Intel recently announced its Deep Safe technology with McAfee, a Type 1 hypervisor early load, which has a sole purpose to secure the runtime," Crosby says. "So you start to see the specific use of virtualization security on clients. I think it will eventually be the same on server systems, too. Obviously you've got to get the server hypervisor to learn new things."

He seems to suggest that linking hypervisors to trusted platform modules (TPM) that are integrated within commodity processors could yield security benefits. TMP's features include storage of encryption keys as well as hardware-assisted encryption, which makes it possible to encrypt all data a business entrusts to a public cloud.

"You can encrypt it at wire speed, and there is no excuse ever for the cloud provider to manage the key," Crosby says. "So what should happen is when you run an application in the cloud you should provide it with the key and only in the context of the running application as the data comes off some storage service is it decrypted and goes out re-encrypted on the fly. That way if somebody compromises the cloud provider's interface or if someone walks into the cloud provider and walks off with a hard disk, then you are OK."

By better securing public clouds, businesses can take full advantage of the reduced costs they offer. If trust in public clouds can be established, the need for private clouds and hybrid clouds and the capital costs they imply will go away. Cloud computing will become an operational expense.

Standing in the way is fear that if data is compromised while in the cloud the event will be career-ending for those who authorize it. Also blocking the way are the demands of regulatory auditors that want businesses to be able to physically locate data. "[Y]ou can't really state anything to a regulator in terms of the data if you can't find the hard disk," he says. "So how is the guy supposed to allow the data out of the data center?"

It could be shown instead that data is secure within a public cloud, meeting regulatory concerns without having to physically locate the disk containing it, Crosby says. "They could do it in a heartbeat," he says, "if we could actually secure the regulatory frameworks for it and if we could just get the vendors to do the obvious things in terms of adopting security technologies."

Crosby says Bromium already has a functioning version of its product and will announce it within months. "I think we're on early in the new year," he says. "We're in the stage where we're sending systems to potential early customers for them to kick around and give us feedback on."

Read more about data center in Network World's Data Center section.