Virtualized security, or security virtualization, refers to security solutions that are software-based and designed to work within a virtualized IT environment. This differs from traditional, hardware-based network security, which is static and runs on devices such as traditional firewalls, routers, and switches.
In contrast to hardware-based security, virtualized security is flexible and dynamic. Instead of being tied to a device, it can be deployed anywhere in the network and is often cloud-based. This is key for virtualized networks, in which operators spin up workloads and applications dynamically; virtualized security allows security services and functions to move around with those dynamically created workloads.
Cloud security considerations (such as isolating multitenant environments in public cloud environments) are also important to virtualized security. The flexibility of virtualized security is helpful for securing hybrid and multi-cloud environments, where data and workloads migrate around a complicated ecosystem involving multiple vendors.
Virtualized security is now effectively necessary to keep up with the complex security demands of a virtualized network, plus it’s more flexible and efficient than traditional physical security. Here are some of its specific benefits:
- Cost-effectiveness: Virtualized security allows an enterprise to maintain a secure network without a large increase in spending on expensive proprietary hardware. Pricing for cloud-based virtualized security services is often determined by usage, which can mean additional savings for organizations that use resources efficiently.
- Flexibility: Virtualized security functions can follow workloads anywhere, which is crucial in a virtualized environment. It provides protection across multiple data centers and in multi-cloud and hybrid cloud environments, allowing an organization to take advantage of the full benefits of virtualization while also keeping data secure.
- Operational efficiency:Quicker and easier to deploy than hardware-based security, virtualized security doesn’t require IT teams to set up and configure multiple hardware appliances. Instead, they can set up security systems through centralized software, enabling rapid scaling. Using software to run security technology also allows security tasks to be automated, freeing up additional time for IT teams.
- Regulatory compliance:Traditional hardware-based security is static and unable to keep up with the demands of a virtualized network, making virtualized security a necessity for organizations that need to maintain regulatory compliance.
Virtualized security can take the functions of traditional security hardware appliances (such as firewalls and antivirus protection) and deploy them via software. In addition, virtualized security can also perform additional security functions. These functions are only possible due to the advantages of virtualization, and are designed to address the specific security needs of a virtualized environment.
For example, an enterprise can insert security controls (such as encryption) between the application layer and the underlying infrastructure, or use strategies such as micro-segmentation to reduce the potential attack surface.
Virtualized security can be implemented as an application directly on a bare metal hypervisor (a position it can leverage to provide effective application monitoring) or as a hosted service on a virtual machine. In either case, it can be quickly deployed where it is most effective, unlike physical security, which is tied to a specific device.
The increased complexity of virtualized security can be a challenge for IT, which in turn leads to increased risk. It’s harder to keep track of workloads and applications in a virtualized environment as they migrate across servers, which makes it more difficult to monitor security policies and configurations. And the ease of spinning up virtual machines can also contribute to security holes.
It’s important to note, however, that many of these risks are already present in a virtualized environment, whether security services are virtualized or not. Following enterprise security best practices (such as spinning down virtual machines when they are no longer needed and using automation to keep security policies up to date) can help mitigate such risks.
Traditional physical security is hardware-based, and as a result, it’s inflexible and static. The traditional approach depends on devices deployed at strategic points across a network and is often focused on protecting the network perimeter (as with a traditional firewall). However, the perimeter of a virtualized, cloud-based network is necessarily porous and workloads and applications are dynamically created, increasing the potential attack surface.
Traditional security also relies heavily upon port and protocol filtering, an approach that’s ineffective in a virtualized environment where addresses and ports are assigned dynamically. In such an environment, traditional hardware-based security is not enough; a cloud-based network requires virtualized security that can move around the network along with workloads and applications.
There are many features and types of virtualized security, encompassing network security, application security, and cloud security. Some virtualized security technologies are essentially updated, virtualized versions of traditional security technology (such as next-generation firewalls). Others are innovative new technologies that are built into the very fabric of the virtualized network.
Some common types of virtualized security features include:
- Segmentation, or making specific resources available only to specific applications and users. This typically takes the form of controlling traffic between different network segments or tiers.
- Micro-segmentation, or applying specific security policies at the workload level to create granular secure zones and limit an attacker’s ability to move through the network. Micro-segmentation divides a data center into segments and allows IT teams to define security controls for each segment individually, bolstering the data center’s resistance to attack.
- Isolation, or separating independent workloads and applications on the same network. This is particularly important in a multitenant public cloud environment, and can also be used to isolate virtual networks from the underlying physical infrastructure, protecting the infrastructure from attack.