Security virtualization is the shift of security functions from dedicated hardware appliances to software that can be easily moved between commodity hardware or run in the cloud.
The increased virtualization of the computing and network environments is putting more requirements on flexible, cloud-based security. Networks and data centers dynamically create software-based networks and computing functions such as virtual machines (VMs), so the security functions must also be virtualized in a portable way to move with the applications and computing workloads.
From Physical to Virtual
Physical security devices are typically inserted on the perimeter of a network to provide protection, enabling access to the network by authenticated users. In a virtual environment, networks, workloads, and virtual machines are consistently being set up, torn down, and moved around inside a data center or network, shifting the focus of the security needs. In addition, because multiple virtual networks can operate across the same underlying physical infrastructure, security must address each layer of virtualization. VMs, for example, have additional security complexity because they operate as digital files that can be moved, regardless of physical infrastructure, posing security risks. These trends have driven more security virtualization.
Segmentation and Isolation
Security virtualization uses software installed on virtual networks to monitor workloads, applications, and access to VMs. The security can also manage security policies for access to the virtual networks and workloads themselves.
Two common concepts in virtualized security are segmentation and isolation. With segmentation, specific network resources are only accessible to specified applications and users. This can be achieved with virtual software in addition to physical security devices. Another important approach is isolation, which allows discrete applications and workloads to operate independently on the same network. An example of this would be segmenting the portion of the network dealing with sensitive information, such as credit-card data.
With the advent of software-defined networking (SDN), segmentation can be built into virtual network fabrics. For example, an SDN network could be set up to have several secure layers, depending on policies assigned to various applications. Another trend in SDN security, which is driving security virtualization, is the approach of microsegmentation, whereby additional layers of security can be added at the application and workload level.
Microsegmentation applies specific security policies to workloads and applications, in a manner that can enable the security functions to follow workloads around the network if they are moved, an approach that is common in today’s virtual infrastructure.
Security virtualization is a strong trend likely to last for many years as more applications are run in the cloud and networks grow increasingly virtualized. New forms of security software than can be installed to monitor and manage security policies on virtual infrastructure will be needed.