Virtual Security Gets Real

On the rare occasions when IT executives kick back and confide their darkest fears, almost invariably they cite a breach of their systems security as the one pain point that gives them sleepless nights. Small wonder. The 2006 Cost of a Data Breach Study conducted by the Ponemon Institute found that companies whose computer security had been compromised spent almost $300,000 on average to investigate data leaks and just over $1.24 million on average on steps to mitigate damage from data losses, such as setting up customer hotlines and offering credit monitoring services to help protect against identity theft.

Criminal hackers aren't the only ones posing a threat. According to a recent survey conducted by the Computer Security Institute (link resides outside of ibm.com) and the San Francisco FBI Computer Intrusion Squad, 71% of large corporations, universities, and government agencies surveyed had detected unauthorized access to data in their systems by insiders. Additionally, 85% of these same respondents had detected viruses in their computer systems.

If the potential loss of business and damage to business reputations from unauthorized access to data didn't make the stakes in protecting data centers high enough, recent federal laws have upped the ante. The Sarbanes-Oxley Act of 2002, which tightens corporate governance, and the Health Insurance Portability and Accountability Act (HIPPA), which protects the privacy of personal health information, have placed senior managements, not just IT executives, on the hook for certifying that their data systems are safe from compromise by criminals, mischief-makers, and disgruntled employees.

Designed to Guarantee Data Integrity
All of these factors have heightened anxiety among corporate leaders about whether the risks in outsourcing data processing and management to third parties outweigh the big savings of doing so. As a result, the adoption of virtual data centers has lagged behind most market predictions. That's unfortunate, because virtualization may free users from having to manage each computer or data resource separately, and instead can allow them to be managed together, virtually. Virtualization enables users to mix and match technologies through common management tools for managing distributed heterogeneous resources. This added freedom can reduce switching costs, add flexibility and freedom of choice, and help mask complexity. Virtualization may create significant opportunities to improve IT utilization rates and reduce system administration costs.

For the past three years, IBM researchers have been exploring new and stronger ways to guarantee data integrity, short of running separate mainframe systems. The goal has been to instill confidence around the security of virtualization, prove it cost-effective for users, and satisfy the requirements of an environment that increasingly values corporate governance, risk management, and compliance. As Ronald Perez of IBM's Thomas J. Watson Research Center says, "The goal is to create an uninterrupted chain of trust."
"sHype is designed to create a nearly impenetrable barrier, or Fort Knox-like wrapper, of security around distributed workloads in the data center, including hardware, operating systems, middleware, and applications."


The result of this research is the first technology from IBM Research to significantly enhance the security and management capabilities in the virtualization layers of the popular x86 and BladeCenter servers used in data centers. Known as sHype or "secure hypervisor," the new security architecture is designed to create a nearly impenetrable barrier, or Fort Knox-like wrapper, of security around distributed workloads in the data center, including hardware, operating systems, middleware, and applications. By enforcing separation of computation and data at the virtualization layer, essentially creating a data center "security foreman," sHype helps allow the customer to preset configurations, policies, and exceptions to lock down all of the contents of the data center.

The sHype architecture has two principal components. One is mandatory access control, which is policy-driven and cannot be bypassed, and the other is trusted computing. The mandatory access control works at the virtualization layer by labeling workloads and then conducting checks. If the control manager finds a rule is violated, access between workloads and their resources is denied.

The trusted computing component is the collaborative outgrowth of a specification and standards group consisting of 150+ companies, universities, and governments. The goal was to create a root of trust in the hardware, including servers, laptops, and even cell phones. This is important since compromised systems can "lie" and trick less-sophisticated security solutions. Trusted computing technologies are designed to ensure the integrity of the entire operating environment, potentially measuring every piece of software—from the BIOS on through each application—in the system, and stores these measurements, or "fingerprints," of the software in a secure piece of hardware. Systems management solutions compare these fingerprints with known configurations to determine whether the environment is what it's supposed to be, enabling the detection and remediation of improperly configured or compromised computing environments.

Building Trust in Virtualization
Currently, sHype remains in the development phase as a commercial offering. Nevertheless, sHype has proved sufficiently robust so that a set of beta customers has implemented major portions of it for testing. In addition, the Open Source community is also using components of sHype together with the Xen hypervisor to go beyond current hypervisors to secure data, resources, and workloads across multiple operating systems and server architectures and to monitor those workloads to ensure data integrity.

Security is especially important in virtualization, because the greater efficiency achieved by pooling computing resources and data at high rates of speed can place the integrity of data at risk. When workloads cross within the virtual data center, data within each workload can be compromised, either inadvertently or purposefully. Given the processing speed that virtualization affords most data centers, tainted data may be restored to the data pool and redirected before errors can be identified and fixed. Even if data aren't tainted, one company can gain some insight into a competitor's situation simply by knowing the relative speed at which his competitor's data is being processed on a shared virtualized system.

Designing security into the hypervisor code is much simpler and more effective than the piecemeal approach that security historically has taken. Traditional IT security is built into one or more user-chosen operating systems, with perhaps some additional security included in the applications. However, it is very difficult to adequately protect bulky operating systems and applications, as evidenced by the frequent security patches and updates to popular operating systems. While it is less complex, application-level security typically only works when a threat alert is issued—potentially too late to be useful. Because the hypervisor code is much smaller and easier to protect, sHype creates a protective barrier around the servers, operating systems, applications, workloads, and virtual resources in the data center.

The fact that security for virtualization is being developed in an Open Source environment shouldn't concern, but rather should reassure corporate users. The theory of Security-Through-Obscurity doesn't work in today's computing environment. As IBM's Ronald Perez says, "If it can't stand an open look, it's not strong enough protection."