Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
Bromium 2015 Prediction: The End of Software Defined Security


 

Virtualization and Cloud executives share their predictions for 2015.  Read them in this VMblog.com series exclusive.

Contributed article by Simon Crosby, co-founder and CTO of Bromium Inc.

The End of Software Defined Security

It's 60 years since the death of the father of modern computer science, Alan Turing.   It's almost 80 years since he proved that the premise underlying today's detection-focused network and endpoint security technologies is fatally flawed.  

In 2015 we will, for the first time, see broad adoption of technologies that leverage CPU capabilities to make endpoints (clients and servers) vastly more secure, by design.   My focus here is on hardware virtualization, though other CPU features will play a crucial role in this journey.

The woeful state of computer security is an unfortunate accident of history.   Although the monolithic code-bases of today's mainstream operating systems are difficult to secure, highly secure computer systems that relied on hardware capabilities to protect the system, such as the CAP and Multics, were built a long time ago. But they were never broadly adopted - mostly as a result of market expediencies (eg: the rapid growth of Microsoft and the evolution of DOS to Windows, and thence NT, or the desire on the part of Linux developers to quickly deliver a Unix feel-alike).  These OSes use two hardware protection rings, but everyone knows the Intel x86 architecture has had 4 rings of hardware protection for years.

Of course, with today's massive installed-base of legacy OSes, there's no going back... Or is there? 

It turns out that with the advent of hardware virtualization (a broad set of CPU features, from both Intel and AMD), it is possible to add a third ring of hardware protection to an existing, installed legacy OS (Windows, Mac OS-X, Linux, Android...) and applications, through the addition of a specialized hypervisor, called a Microvisor.   Micro-virtualization uses hardware-virtualization features on the CPU to invisibly hardware-isolate the execution of individual OS tasks in a structure called a micro-VM.  Since micro-VMs are just hardware isolated tasks, this can be done at great density and without impacting performance. All changes made during execution are cached copy-on-write in hardware-isolated memory, and the execution environment is deliberately de-privileged: It contains only the data needed by the task, and an otherwise empty virtual file system; and it has a micro-services delivered virtual network with access only to the sites that are needed by the task.   Upon completion, the entire micro-VM is simply discarded, with no execution changes persisted to the host.

Using micro-virtualization, we are effectively able to apply key principles from Multics to both PCs and servers, making the system vastly more secure - simply by relying on unused features available on every modern CPU.   Micro-virtualization can be used to provide hardware-enforced multi-tenancy for Docker, and to hardware isolate every tab in your browser, or each document or attachment you open.

Beyond hardware virtualization, broad adoption in OSes and hypervisors of core platform features such as Intel TXT, the TPM, and SGX will also play an important role.

The adoption of technology that actively secures infrastructure - by design - will start the countdown to the death of outmoded detection-centric security products. And as new hardware-centric security technologies are adopted, enterprises will realize substantial CapEx and OpEx savings - that today are wasted on failed technologies and human experts needed to deal with the growing onslaught of sophisticated attacks. The dramatic security improvements afforded by CPU enforced security - including micro-virtualization - will help increase customer confidence and accelerate adoption of cloud computing and mobility.

##

About the Author

Simon Crosby is co-founder and CTO of Bromium Inc. Previously Simon was CTO, Data Center & Cloud at Citrix Systems, which acquired XenSource, where he was co-founder and CTO. Along the way, Simon was a Principal Engineer at Intel, and founder & CTO of CPlane Inc., a pioneer in Software Defined Networking. A long time ago, he was a faculty member at the University of Cambridge, UK.  He holds a PhD in Computer Science, from Cambridge.

 

Published Wednesday, November 12, 2014 7:09 AM by David Marshall
Get This Featured White Paper: Disaster Recovery Guide
You may also be interested in this white paper: Unmasking the Top 5 End-User Computing (EUC) Challenges
Comments
@VMblog - (Author's Link) - February 10, 2015 7:00 AM

Once again, how great is it to be a part of the virtualization and cloud industries? 2014 was another banner year, and we witnessed a number of fantastic technologies take shape and skyrocket. And I, along with many industry experts and executives, media

To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Customer Connect
Global Digital
DTX
DTW-NA
innovatrix
GISEC
global-digital-cx
vExpert
Calendar
<November 2014>
SuMoTuWeThFrSa
2627282930311
2345678
9101112131415
16171819202122
23242526272829
30123456