Cloud Virtualization Security For Dummies East Custom

These materials are the copyright of John Wiley & Sons, Inc.
and any
dissemination, distribution, or unauthorized use is strictly prohibited.
Cloud &
Virtualization
Security
Trend Micro Special Edition
by Daniel Reis
These materials are the copyright of John Wiley & Sons, Inc. and any
Cloud & Virtualization Security For Dummies, Trend Micro Special Edition
Published by
John Wiley & Sons, Inc.
111 River St.
Hoboken, NJ 07030-5774
www.wiley.com
Copyright 2013 by John Wiley & Sons, Inc., Hoboken, New Jersey
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any
form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,
except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without the
prior written permission of the Publisher. Requests to the Publisher for permission should be
addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Trademarks: Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,
Making Everything Easier, and related trade dress are trademarks or registered trademarks of John
Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used
without written permission. Trend Micro, Smart Protection Network, Trend Micro Deep Security, and
the Trend Micro logo are trademarks or registered trademarks of Trend Micro Incorporated. All other
trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associated with
any product or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO
REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS
OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING
WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE
AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS
WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE
SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS
WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT
MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS
SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED
OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services, or how to create a custom For Dummies
book for your business or organization, please contact our Business Development Department in
theU.S. at 877-409-4177, contact info@dummies.biz, or visit www.wiley.com/go/custompub.
For information about licensing the For Dummies brand for products or services, contact
BrandedRights&Licenses@Wiley.com.
ISBN 978-1-118-73194-9 (pbk); ISBN 978-1-118-73192-5 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
Publishers Acknowledgments
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Vertical Websites
Development Editor: Lawrence C. Miller
Project Editor: Jennifer Bingham
Editorial Manager: Rev Mengle
Business Development Representative:
Kimberley Schumacker
Custom Publishing Project Specialist:
MichaelSullivan
Composition Services
Senior Project Coordinator: Kristie Rees
Layout and Graphics: Carrie A. Cesavice,
Jennifer Goldsmith, Andrea Hornberger
Proofreader: Lindsay Amones
Special Help from Trend Micro: Paula Rhea,
Monica Niemann
Business Development
Lisa Coleman, Director, New Market
and Brand Development
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
About This Book......................................................................... 2
Foolish Assumptions.................................................................. 2
How This Book Is Organized..................................................... 3
Icons Used in This Book............................................................. 3
Where to Go from Here.............................................................. 4
Chapter 1: Exploring Virtual Environments . . . . . . . . . . . 5

What Is Virtualization?............................................................... 5
What Are the Benefits of Virtualization?.................................. 7
Business Security Challenges in a Virtual Environment........ 8
Agility................................................................................. 8
Regulatory compliance.................................................. 10
Cloud and Virtualization.......................................................... 12
Chapter 2: Virtual Server Security. . . . . . . . . . . . . . . . . . 13

Security Challenges Specific to the Virtual Environment..... 13
Inter-VM communications............................................. 14
Resource utilization....................................................... 15
Dormant VMs.................................................................. 18
VM migrations................................................................. 19
Addressing Virtual Security Challenges with
Virtual-Aware Solutions........................................................ 20
Addressing Data Protection in the Cloud.............................. 22
Chapter 3: Understanding Virtual Desktop

Infrastructure (VDI) Security . . . . . . . . . . . . . . . . . . . . 23
Understanding VDI Security Challenges................................ 24
Finding the Right Kind of Security to Work with VDI........... 26
Managing Data Access and Security with VDI....................... 27
Using VDI in the Cloud............................................................. 28
iv
Cloud & Virtualization Security For Dummies, Trend Micro Edition
Chapter 4: Exploring Trend Micro Virtual-Aware

Security Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Protecting Against Global Threats......................................... 29
Examining the landscape............................................... 30
Increased volume................................................. 30
Greater sophistication......................................... 30
Taking a look at the Smart Protection Network......... 31
Designing Security for Virtual Environments........................ 33
Securing Every Aspect of Your Computing
Environment.......................................................................... 36
Chapter 5: Ten Important Capabilities to Look

For in a Virtual-Aware Security Solution . . . . . . . . . 39
Appendix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Introduction
irtualization technologies are being adopted today at a

tremendous rate. Although the benefits of virtualization
outweigh its challenges, it does create some significant problems for IT.
Perhaps the most significant issue for virtualization is the
notion that traditional security technology runs the same in
a virtual environment as it does in a physical environment.
Virtual systems, as well as dedicated physical systems, are
being deployed today as a part of the standard mix of computing environments in many companies. IT departments must
manage mixed or hybrid computing environments, comprised
of virtual and physical platforms.
The greater reliance on virtualization needs to force our
attention while hopefully avoiding uh-oh moments to
the fundamental design limitations of traditional security
solutions when applied to virtualized systems.
As the advent of cloud has been getting so much attention
over the last number of years, understanding how security
works in cloud environments needs to be clear, too. A risky
conclusion that many organizations make is thinking their
data is just as safe in a cloud world as it is in their own data
center, and that they dont have to do anything special to
ensure an acceptable level of security is in place. The reality
can be quite different. It isnt that a cloud environment isnt
secured by the provider; its that your data, unless special
provision is made between you and that provider, isnt necessarily secured from the exposure of running in a multitenant
shared cloud world. As a user, you dont know the other
tenants also operating their VM applications on your same
host machine or where your data may be stored on a shared
storage device with yet another group of unknown residents.
You also dont know who the other storage residents may be
allowing to access their data in your shared storage. And the
simple fact is that you cant control these elements.

Cloud providers work hard to keep their environments secure,
but keep in mind they set policies such as firewall rules that let
thousands of customers access their systems consistently, and
its likely these rules wont meet your data security concerns.
So, your job must be to determine whether those policies protect your data to your level of satisfaction. If not, you need to
ensure you have security in place that does meet your security
requirements in any shared cloud environment.
About This Book

This book explores the security challenges of virtualization in
the data center, at the endpoint, and in the cloud. I explain why
using traditional security products built for physical systems
is a mistake for virtual systems. Finally, I explain how virtualaware security solutions provide in-depth security without
compromising performance in virtual, cloud, and hybrid environments that include a mix of virtual and physical systems.
Foolish Assumptions
First, I assume that you know a little something about server
and desktop virtualization, and perhaps a thing or two about
security as well. This book is written primarily for technical
readers who are evaluating security solutions for a virtual
or mixed physical and virtual environment.
Although many of the terms and concepts presented in this
book apply to virtualization technology in general, I assume
that youre primarily interested in virtualization solutions
from VMware, Microsoft, and Citrix, and therefore focus on
these solutions, with my apologies to IBM, Oracle, and the
many other virtualization solutions available today.
Finally, I assume that most organizations have already attempted
to secure their virtual systems using the same tools, in pretty
much the same way, as they did on their physical systems.
Many IT professionals mistakenly assume that virtual systems
are essentially the same, or have similar-enough operating
characteristics, as physical machines, so they end up implementing their existing security and management tools in their
new virtual environments with disappointing or even catastrophic results.
Introduction
How This Book Is Organized

This book contains a virtual (err, sorry) cornucopia of knowledge. All conveniently distilled into five short chapters chock
full of just the information you need. Heres a brief look at
what awaits you in the pages ahead:

Chapter 1: Exploring Virtual Environments. I begin by
explaining how virtualization technology works, some
of the key benefits of virtualization for organizations,
and some business challenges associated with virtual
environments.

Chapter 2: Virtual Server Security. Next, I tell you about
some of the specific security challenges that you must
address in a virtualized data center.

Chapter 3: Virtual Desktop Infrastructure (VDI)
Security. In this chapter, I explain some security challenges in desktop virtualization and how VDI can help
you safeguard data in a BYOD world.

Chapter 4: Exploring Trend Micro Virtual-Aware
Security Solutions. Here, you learn about Trend Micros
virtual-aware Deep Security solution to protect your virtual environment.

Chapter 5: Ten Important Capabilities to Look for in a
Virtual-Aware Security Solution. Next, in that classic
For Dummies style, I give you a checklist to use when evaluating security solutions for your virtual environment.

Appendix: Glossary. Finally, just in case you cant spell
out every computing industry acronym in your cereal or
pasta, Ive included a handy reference of the acronyms
and terms I use in this book!
Icons Used in This Book

Throughout this book, you occasionally see icons that call
attention to important information that is particularly worth
noting. You wont find any winking smiley faces or other cute
little emoticons, but youll definitely want to take note! Heres
what to expect.

This icon points out information that may well be worth committing to your nonvolatile memory, your gray matter, or your
noggin along with anniversaries and birthdays!
This icon explains the jargon beneath the jargon.

Thank you for reading, hope you enjoy the book, please take
care of your writer! Seriously, this icon points out helpful suggestions and useful nuggets of information.

These helpful alerts offer practical advice to help you avoid
potentially costly mistakes.

Where to Go from Here

If you dont know where youre going, any chapter will get
you there but Chapter 1 might be a good place to start!
However, if you see a particular topic that piques your interest, feel free to jump ahead to that chapter. Each chapter is
individually wrapped (but not packaged for individual sale)
and written to stand on its own, so feel free to start reading
anywhere and skip around throughout this book (not your
office)! Read this book in any order that suits you (though I
dont recommend upside down or backwards).
Chapter 1
Exploring Virtual
Environments
In This Chapter
Defining virtualization
Recognizing the benefits of virtualization
Understanding the business security challenges of virtualization
Working with cloud and virtualization
he benefits of virtualization are compelling. Organizations

of all sizes, from small and medium businesses to large
global enterprises, are adopting virtualization technology
including cloud computing at an unprecedented rate. In
this chapter, you learn some of the basics of virtualization
technologies and its benefits, and how virtual technologies
are changing the security landscape.
What Is Virtualization?
Virtualization technology simulates physical computing
resources, such as servers and desktop computers, in a
virtual environment. Figure 1-1 depicts a simplified virtual
environment. The virtual infrastructure software platform, also
known as virtualization software, is a virtualization layer
installed on a physical server. Examples of virtualization software include VMware vSphere, Microsoft Hyper-V, and Citrix
XenServer, among others.
Figure 1-1: A simplified view of a virtual computing environment.
Virtualization software runs on the physical host machine and

provides an operating ecosystem for multiple virtual instances,
or virtual machines (VMs), running specific applications. The
hypervisor is a component of virtualization software that functions between the physical host machines hardware kernel
and the OS of the individual VMs. The hypervisor enables multiple VMs to run on a single physical host machine by managing
communications and resource allocation between the VMs.
Virtualization technology has its roots in mainframe computing. The kernel in a mainframe computer is known as the
supervisor. Thus, the hypervisor is software that operates
above the kernel in a virtual environment.
A VM, in its simplest form, can be thought of as a physical
machine reduced to a set of core operating system environments (OSE): the operating system (OS), an application, and
the host system, which simulates a physical machine, such
as a server or desktop computer. Each VM has its own OS,
such as Windows or Linux, and is allocated some share of
thephysical host machines total processor, memory, I/O
(input/output), and networking resources, all managed by the
virtualization softwares hypervisor.
Chapter 1: Exploring Virtual Environments
In a virtual environment, each VM runs as an individual dedicated session for the specific application(s) running on that
VM. Each VM session runs exactly as it would on a dedicated
physical machine, assuming adequate resources are allocated
to run its OS and application(s). The hypervisor enables
multiple VM sessions to operate alongside each other on the
virtual infrastructure that hosts those sessions, which allows
for higher utilization and more efficient allocation of physical
host machine resources.
What Are the Benefits

of Virtualization?
Virtualization has been one of the hottest technology trends
for a while now. Gartner, Inc. estimates that almost half of all
x86-based servers in the data center today are virtualized,
and predicts that by 2015 more than three-quarters of all
x86-based servers will be virtualized.
Businesses are adopting virtualization for reasons that
include

Consolidating server hardware. Server virtualization
allows numerous systems and applications from multiple
physical servers to all coexist on a single physical server
(or cluster of physical servers).

Improving operational efficiency. Virtualization provides organizations with the agility and flexibility to
rapidly deploy and maintain new server and desktop systems and applications to meet business needs.

Optimizing limited resources. From maximizing CPU,
memory, and I/O utilization in physical host servers to
extending the life of desktop PC hardware, virtualization
helps businesses get the maximum return on investment
(ROI) from their IT equipment.

Lowering operating expenses (OPEX). Virtualization can
simplify systems management and reduce your data center
footprint, which lowers energy and real estate costs.
Business Security Challenges

in a Virtual Environment
Although virtualization can produce significant benefits for
organizations of all sizes, a number of security challenges
must be addressed in a virtual environment. Some of the
broader security implications include agility and regulatory
compliance. I cover technical security challenges in Chapter 2.
Agility
Agility is one of the many benefits of virtualization. New VMs
can be quickly provisioned, removed, or put into a dormant
state. But the speed and ease with which these tasks are
performed can increase exposure to various security issues.
Important questions to consider include

Are new VMs deployed using an approved security
profile and in accordance with established policies?

Is the correct OS version installed and patched when
deploying new VMs?

Are adequate resources available for new VMs deployed
on a host machine?

Is a capacity analysis conducted prior to deploying new
VMs on a host machine?

How does a new VM impact the performance and security of other VMs on the host machine?

Are dormant VMs regularly scanned for known vulnerabilities and are security patches installed and current?

Are retired VMs properly removed from the virtual
infrastructure?

How is data that was previously associated with a retired
VM handled?
Although many of the preceding questions are also relevant
in physical environments, the speed with which VMs can be
deployed, brought online, and retired, as well as the constant
pressure for IT to be flexible and responsive to the needs
of the business, can create a culture of speed that forgoes
prudence. For example, deploying a physical server can take

several weeks for a typical IT organization. The steps for
deploying a new physical server might include

Defining hardware and software specifications to meet
the business requirements

Creating a bill of materials and obtaining competitive
quotes from several vendors

Obtaining budget approval and ordering the necessary
hardware and software

Identifying available physical rack space in the data
center, assessing power and cooling requirements, and
procuring additional rack space, power, and cooling, if
needed

Installing and cabling the new hardware including servers, storage, and networking equipment

Installing server operating systems and any required
applications, and configuring appropriate system settings
When internal clients and users are accustomed to having to
wait several weeks for new systems and applications to come
online, IT departments gain additional time to perform many
important activities. For example, after defining hardware and
software specifications for a new system or application, you
might analyze capacity and baseline performance and identify
system dependencies in your current infrastructure to determine whether you can install the new system or application
on existing systems. And after spending several hours installing a base operating system, system administrators almost
always spend the additional time necessary to download and
install the latest service packs, security patches, and software
patches.
However, in a virtual environment, end users can quickly
become accustomed to the on-demand universe, in which the
time to deploy a new VM from someone saying I need it now
to going live can literally be a matter of minutes. Important
planning and analysis, including security configurations, can
be overlooked in such a fast-paced environment. Always use
security tools that are designed for the dynamic aspects of
the virtual environment and automatically detect problems
and protect VMs instantaneously.
10
Regulatory compliance
Driven by the need to protect the private data (such as personally identifiable information, financial data, and health
records) of individual citizens from cybercriminals and identity thieves, governments throughout the world and at every
level have caught the regulatory bug. Information security
best practices are rapidly being codified with legal mandates
that seek to ensure that corporate governance, internal controls, business processes, and operations of organizations in
various industries are safe, sound, and secure.
With more than 400 regulations and over 10,000 overlapping
controls in more than 50 countries worldwide, compliance
has become a challenging and complex mandate for every
organization.
These regulations often require specific controls, corporate
compliance programs, audits, and public disclosures, and levy
stiff penalties for noncompliance. Some of the more significant
information and data security regulations include:

FISMA (Federal Information Security Act): Applicable
to U.S. Government agencies and contractors. Requires
implementation of information security processes in
accordance with FIPS (Federal Information Processing
Standards) and NIST (National Institute of Standards and
Technology) guidance.

HIPAA (Healthcare Insurance Portability and
Accountability Act): Security and Privacy Rules apply to
covered entities and their business associates in the
healthcare industry.

HITECH (Health Information Technology for Economic and
Clinical Health Act): Provides funding for electronic health
records (EHR) and safe harbor from disclosure requirements
for breached data that is encrypted, among other things.

PCI DSS (Payment Card Industry Data Security Standard):
An industry mandate that establishes information security
requirements for organizations that process payment card
transactions (such as credit and debit cards).

SOX (Sarbanes-Oxley): Publicly traded companies must
implement a framework of computer controls. Several
mandates cant be accomplished without prudent use of
technology and information security.
11
The rapid pace and constantly evolving nature of technology

makes attaining and maintaining regulatory compliance very
difficult. Furthermore, regulatory requirements typically lag
behind specific technologies and their security implications.
Although most regulatory requirements dont address specific
technologies (encryption being one notable exception), some
regulatory bodies have begun attempting to address the reality that virtualization has become a significant trend in data
centers everywhere.
For example, the PCI Security Standards Council (SSC) has
issued virtualization guidelines. These guidelines arent
additional regulatory requirements, but instead provide
standard definitions of virtualization concepts and technologies, address specific risks for virtualized environments, and
provide recommendations for remediating security risks in a
virtual or cloud environment.
The PCI DSS Virtualization Guidelines (June 2011) provide
four principles that apply to virtualization in cardholder data
environments. These principles, in summary, are

PCI requirements apply to virtualization technologies
used in cardholder environments.

Virtualization introduces unique risks that must be
assessed.

When implementing virtualization, thorough discovery,
identification, and documentation of the environment is
necessary.

There is no one-size-fits-all solution to security in a virtualized environment.
Some specific risks addressed in the PCI Virtualization
Guidelines, which I discuss in further detail throughout this
book, include

Vulnerabilities in physical environments also applying in
virtual environments

Hypervisors creating a new attack surface

Virtual environments introducing increased complexity

Virtualization breaking the one-function-per-physicalserver deployment model
12

Virtual machines (VMs) with different trust levels (for
example, inward- and outward-facing applications,
and different security policies) existing on the same
physical host

Lack of separation of duties between system administrators that all need access to the virtual environments

Patching and updating of dormant VMs

Sensitive data contained in VM images and snapshots

Insufficient logging and monitoring in the virtual
environment

Data leakage between virtual network segments and
components
Although the differences between physical and virtual environments may seem obvious, knowing the specifics is crucial
to the proper assessment and architecting of security solutions that you implement in your virtual environment. In
Chapter 2, I explain some of the specific technical security
challenges in a virtual environment.
Cloud and Virtualization

Cloud computings growth has been driven by virtualization
and its lowered cost of computing resources by allowing multiple unrelated entities to share those resources. Achieving
very high VM density and ever-greater hardware utilization in
cloud infrastructure allows cloud providers to offer high value
at low cost and easy access for any size business. The ability
to dial-up and down computing power at a moments notice
provides flexibility to better balance computing requirements
with user and market demand. Now, many companies include
cloud resourcing as a part of their everyday computing mix,
which has created a new model of hybrid environments that
combines physical and virtual systems for individual and
server deployment, both within company sites and corporate
data centers, as well as transparently incorporating cloud
computing into the mix. The benefits are obvious as companies can better resource infrastructure based on a number
of variables such as seasonal need, individual roles, or using
the best type of computing resource in order to meet various
compliance regulations.
Chapter 2
Virtual Server Security

In This Chapter
Recognizing security challenges in a virtual environment
Using the right security solution for your environment
Looking at data protection in the cloud
ecurity tools designed for physical systems have limitations that restrict their effectiveness in virtual environments. These limitations may also reduce or eliminate many
of the benefits of virtualization when security tools designed
for physical systems are redeployed or repurposed in virtual
environments. In this chapter, I explain these challenges and
how they negatively impact virtual server environments, as
well as how virtual-aware security solutions can help you
address these challenges.
Security Challenges Specific

to the Virtual Environment
A virtual infrastructure software platform is essentially a virtual hosting environment that is subject to the same security
issues as physical environments, with some additional challenges that are unique to virtual systems. The hypervisor in
a virtual environment is somewhat analogous to a network
router in a physical environment. Individual virtual machines
(VMs) and applications pass their network traffic through the
hypervisor en route to other virtual or physical systems, or
to client devices. Because the hypervisor is part of a closed
system within the virtual infrastructure, many security
14

products such as firewalls and network intrusion detection
systems/intrusion prevention systems (IDS/IPS) are blind
to hypervisor traffic, thereby creating a significant area of
exposure and a very attractive attack vector, particularly
given the varying mix of applications that can be installed
as VMs on a physical host machine.
Not only does the lack of visibility into inter-VM traffic create
an unacceptable risk due to the possibility of unknown threat
traffic passing through the hypervisor, it also causes potential
performance issues that are actually caused by traditional
security agents, such as antimalware software installed on individual VMs downloading updated signature files on a scheduled basis. These conditions negatively impact the security and
performance of a virtual environment, as well as the potential
benefits due to a lower density of VMs per physical host.
Finally, dormant VMs and VM migrations can create unique
security challenges in the virtual environment as well.
Inter-VM communications
Deploying a virtual environment doesnt change the way you
should architect your system environment. As in a physical environment, your private or inward-facing systems and
applications should be separate from your public or outwardfacing systems and applications. Always avoid putting inwardand outward-facing systems and applications on the same
physical hardware. Mixing inward-facing (for example, a company payroll system) and outward-facing (for example, a web
application for partners) applications may needlessly expose
internal applications that contain sensitive internal information to the outside world. An outward-facing VM provides a
doorway to all other VMs on the same host machine via the
hypervisor (see Figure 2-1).
According to industry research, as many as 70 percent of all
VMs are outward-facing, which means there is a high probability that at least one application running on your VM host
machines is being accessed by users you dont know or trust,
and cant control.
Chapter 2: Virtual Server Security
15
Figure 2-1: An outward-facing VM can be used as a launch pad to attack

other VMs on the same host machine via the hypervisor.
VMs communicate via the hypervisor for standard operations

between clients and servers (north-south traffic) and for communications between VM servers (inter-VM communications,
or east-west traffic). Inter-VM communications may expose
VMs to unexpected traffic (for example, mixing different application types). Traditional security tools, such as firewalls and
IDS/IPS deployed to manage and protect physical systems
that are deployed on a physical network segment, cant monitor inter-VM communications in a virtual environment. This
means your traditional firewalls and IDS/IPS cant protect
your VMs from many types of attacks because they can only
see traffic between physical systems. To monitor and protect
the traffic between VMs, you need security solutions that are
designed to operate in a virtual environment and can therefore monitor and protect inter-VM communications.
Resource utilization
Another major benefit of virtualization technology is that
it maximizes the efficient use of physical server resources.
Many typical server applications utilize as little as 5 percent
of a CPUs total capacity and only 30 to 40 percent of the
available memory in a physical server.
Given this level of underutilization and the excess capacity
thats available on physical servers, traditional security software running on dedicated server hardware normally has all
the CPU, memory, and I/O resources that it needs to perform
16

its security operations, and rarely has to compete with other
software applications for those resources. For example, traditional antimalware software uses all of a servers available
resources as needed to perform functions like scanning and
quarantining infected files. Security software also tends to
have very spikey resource needs, at times requiring minimal
resources as it monitors the server for certain activities or
trigger events, and at other times requiring intensive resources
to quickly scan and protect the server from a new threat.
On a dedicated physical server, this resource allocation
model works relatively well, because all the physical servers
resources are available to the operating system (OS), its
installed applications, and the security software. The OS
manages all available resources and ensures that security
tasks are properly prioritized, so that the OS and any running
applications run correctly and are appropriately protected.
A typical deployment of individual applications installed on
separate physical servers is depicted in Figure 2-2. A security
agent is installed on each of the physical servers to scan and
protect the OS and application. The individual security agents
communicate with an external site to get updates to their
threat information.
Figure 2-2: Traditional physical servers with individual applications and

security agents installed.
17
By comparison, a physical host machine in a virtual environment will tend to have much higher average utilization of its
computing resources. In a virtualized environment, the hypervisor (see Chapter 1) manages the allocation of the physical
host machines resources among all the VMs running on that
host machine. But no matter how large the physical server
that may be deployed to run this virtual ecosystem, there
is still a fixed amount of hardware resources, such as CPU,
memory, and I/O.
Security software that is designed for physical systems isnt
virtual aware. That means it has no mechanism to tell that its
installed in a virtualized environment, where it has to share
server resources among many VMs on the same physical host
machine. Although a hypervisor is designed to handle spikes
in resource demand, when the traditional security software
is running in a virtual environment it can cause problems for
all the VMs deployed on a physical host. For example, if you
have several VMs installed on a single physical host with each
VM running a traditional antimalware security agent, a single
triggered event may cause all the VMs to simultaneously run
a full system scan. This can immediately deplete the available
system resources on the physical host and cripple the performance of the hosted applications.
Figure 2-3 depicts traditional agent-based antivirus/antimalware security software designed for a physical system, but
deployed in a virtual environment. As in the physical deployment model, the installed security agents will scan individual
files for threats on each VM, and perform periodic partial or
complete scans of each VMs system, applications, and files.
The individual security agents will also regularly communicate with an external site to get updates to their threat information, which can bring the physical host system and the
network to a crawl.
These resource-contention issues can force IT organizations
to implement less-than-ideal practices, such as overallocating resources to account for dynamic, spikey security activities and scans to ensure your virtualized applications have
acceptable levels of performance. Unfortunately, having to
account for the intermittent nature of these security agents
can significantly reduce the number of VMs you can install on
a host platform.
18
Figure 2-3: Traditional security agents designed for physical systems

installed in a virtual environment.
Dormant VMs
Dormant servers that is, servers that have been powered
off or have otherwise been inactive for extended periods of
time present security challenges in any data center environment, whether physical or virtual. Dormant servers (or
dormant VMs in a virtual environment) tend to get overlooked
when operating system updates, security patches, and threat
updates or signature files are applied to systems as part of
a regular maintenance cycle. When these dormant servers
are powered on and placed in service, theyre more likely to
be vulnerable to threats that have previously been patched
or updated on other production systems. Thus, a dormant
server can put your entire data center at risk by providing a
compromised point of entry into your network.
In a physical server environment, dormant servers are
usually less prevalent than in virtual environments. Many
IT organizations lack the management tools to easily power
19
physical server hardware on or off in a remote data center.

Physical hardware is also relatively expensive. Therefore,
most organizations typically procure new server hardware
only when its needed, preferring not to have expensive hardware sitting dormant in a data center rack and taking up valuable space. In fact, the lack of blinking lights in a rack would
give most IT administrators a brief panic attack, fearing that
a production system has been inadvertently shut down or is
malfunctioning.
However, a dormant VM in a virtual environment is a different matter entirely. The ease with which VMs can be created
and powered up or down (discussed in Chapter 1), and the
general lack of any real incremental costs associated with dormant VMs, often leads to server sprawl in the data center.
Many other data center systems and technologies also take
advantage of a virtual environments ability to dynamically
create or power up VMs, such as when a server crashes or a
load threshold is reached. For example, load balancers may
automatically power up additional virtual web servers during
peak periods of activity in order to maintain the required
performance level for a popular website. A dormant VM web
server that has not been properly patched could almost
instantaneously put an organizations entire web infrastructure at risk if powered on automatically by a load balancer.
Centralized management tools (such as vCenter for VMware)
can help IT administrators keep track of all VMs including
dormant VMs in a virtual environment. However, the prob lem of patching and updating dormant VMs is still a very
manual, but important, security task in most cases.
VM migrations
Another important capability in virtual environments is the
ability to move VMs between physical hosts, in order to
dynamically manage server resources or loads, or for disaster
recovery purposes. A VM can move from one physical host
to another in the same data center, or to other data centers
located throughout the world.
20

VM migrations create complex security challenges including

How do you ensure that appropriate security policies
are applied to individual VMs as they move from one
physical host or data center to another?

What happens when a VM moves to a physical host
machine with a different level of security protection?

How do you protect a VM while it is migrating from one
physical host to another?
Traditional firewalls and IDSs/IPSs are installed on physical
network segments, and therefore cant adequately protect
VMs as they migrate from one physical host to another or
from one data center to another.
Having a sticky security solution (one that moves with a particular VM) thats either agent-based or agentless enables you
to have different security settings for each VM in your virtual
environment, regardless of the physical host machine that a
particular VM is located on at any given time.
Addressing Virtual Security

Challenges with Virtual-Aware
Solutions
A virtual-aware security solution is designed for virtual, as
well as physical, environments. With this type of solution,
you can still install individual security agents on dedicated
physical servers when needed. In the virtual environment
you can deploy a virtual appliance (see Figure 2-4), which
performs all the functions of a security solution as a single
VM instance. The virtual appliance monitors all VMs via the
hypervisor. That way, no agent is required on the individual
VMs, and the appliance has full visibility of inter-VM traffic on
the hypervisor. The virtual appliance communicates directly
with an external site to download updated threat information,
which is used to protect all VMs together, including dormant
VMs. This design greatly reduces network traffic and resource
21
utilization on the physical host. In a virtual environment with

many competing resources, agentless security is the most
efficient way to provide robust security while maximizing
your VM density per host.
Figure 2-4: Virtual-aware security appliance (secure VM) installed in a

virtual environment.
In addition to an agentless virtual appliance, a complete

virtual-aware security solution provides agent-based tools
that are also virtual aware for different deployment scenarios
and business needs. For example, you may need to deploy an
agent if youre moving one of your VMs to a cloud vendor. An
agent can be installed on the VM and follow it to the cloud,
providing the same level of protection as though your VM
were still in your data center, and allowing you to manage the
VM security remotely from your local console.
Both agent and agentless security tools have appropriate
uses in physical, virtual, cloud, and hybrid environments. For
maximum flexibility, you need a virtual-aware, agentless, and
agent-based security solution that enables you to select the
deployment type that best fits your scenario without negatively impacting performance.
22
Addressing Data Protection

in the Cloud
Theres tremendous growth in the use of cloud computing,
spawning an entirely new business model. It delivers the ability
for companies to quickly, easily, and inexpensively modify their
computing resource availability and adjust to dynamic computing resource demands. So how do companies secure against
the particular risks from cloud use? How does a company
ensure the same level of protection for its data in the cloud as
it has when its accessed and stored in its own data center?
Cloud vendors want your data to be safe. They support your
deployment of appropriate tools to protect your VM applications from other organizations VMs running on the same
host machine or stored in shared space. These capabilities
(discussed in Chapter 4) must let you monitor and block
threats that may originate from other VM applications. It
should also be able to protect specific applications or sensitive files and directories.
In the shared cloud world, your data is more exposed because
it transits shared networks and is stored in shared storage
devices with other cloud customers data, and the location
of your stored data can change based on many factors out of
your control. The fact is, a cloud vendor can, and will, move
your VM application between physical hosts as well as your
data from one storage environment to another.
Data movement can create a problem in that there may be
readable remnants of your data left at a past storage location. Protecting data traveling shared networks and stored in
shared storage requires a more data centric approach. Try
utilizing a security component that allows you to set policies
for data access and storage in the cloud (this can work in
your own data center as well). Also use encryption to ensure
data is in an unreadable state as it either transits or is stored
in the cloud. This system lets you set and enforce policies
for data and control it through a policy server you own and
manage. Part of this is utilizing keys to encrypt and decrypt
data with defined access rights to the keys and data as per
your company policies.
Chapter 3
Understanding Virtual
Desktop Infrastructure
(VDI) Security
In This Chapter
Recognizing issues with traditional security products in VDI
deployments
Looking for better VDI security

Managing data access and security with VDI
Working with VDI and cloud
esktop virtualization has been on the rise over the past

five years. Its a logical next step for IT organizations
that have already undertaken server virtualization in their
data centers. Such organizations have gained the necessary
knowledge and experience to support the expanded virtualization deployment required by desktop virtualization. Desktop
virtualization also makes a lot of sense given the current Bring
Your Own Device (BYOD) trend, which has led to a proliferation of the number and type of devices that end users bring
to work.
In this chapter, you learn why traditional desktop security
products and virtual desktop infrastructures (VDI) dont play
well together, and how VDI itself can provide greater control
of data access and security.
24
Understanding VDI Security

Challenges
With BYOD gaining widespread acceptance, organizations
of all sizes need to find different approaches to endpoint
security. It is increasingly common not to own or control the
devices that access your systems and data, so traditional
endpoint security solutions, such as antimalware software
and personal firewalls, are much less practical. For example,
a small company might use a third-party billing service to
input customer information into its systems, or a hospital
might have patient care professionals traveling between its
offices and the hospital while using personal devices (such as
smartphones and tablets) in both locations to access patient
records. In each of these examples, the important questions
revolve around how to do the following:

Protect your systems and data when you cant directly
control the end-user devices.

Limit access to only the applications that are required
for a specific job function.

Ensure your systems and data arent compromised by a
device that has been infected with malware.
Malware is malicious software or code that typically damages or disables, takes control of, or steals information from a
computer system. Malware broadly includes viruses, worms,
Trojan horses, logic bombs, rootkits, bootkits, backdoors,
spyware, and adware.
In a virtual desktop infrastructure (VDI), multiple desktop
operating systems and/or applications are hosted as virtual
machines (VMs) on a physical server running a hypervisor
(see Figure 3-1). Some big problems arise when traditional
security products run in a VDI environment as in a virtual
server environment (see Chapter 2). Traditional server security products run on the host machine, not the virtual desktops, and therefore cant parse scans or manage resources
between the virtual desktops. These limitations can slow
down or even potentially stop the host application from
responding to requests from the virtual desktop client.
Chapter 3: Understanding Virtual Desktop Infrastructure (VDI) Security
25
Figure 3-1: Virtual desktops running in a VDI environment.
VDI isnt the only desktop virtualization technology available,

but it is quickly becoming one of the most popular implementations of virtual desktops. Other desktop virtualization
technologies include remote desktop services application virtualization, user virtualization, layering, Desktop as a Service
(DaaS), and local desktop virtualization.
The problems are even worse with traditional desktop security products that are installed on individual virtual desktops.
For example, when many users log into their virtual desktops
at approximately the same time, such as at the beginning of
the workday, traditional scanning methods can paralyze an
entire VDI environment. A traditional desktop security product typically scans an entire desktop system when a user logs
in, either because it is scheduled to scan upon successful
login, or because the last scheduled scan perhaps a nightly
scan at 3 a.m. couldnt be performed because the virtual
desktop was dormant at that time.
As individual users access various applications and data
throughout the workday, additional scans are performed
according to policies that have typically been established
based on a one-user-per-one-physical-desktop model.
However, in a VDI environment, many virtual desktops share
the same processors and memory in a single physical server.
Because these scan policies are implemented without regard
to resource availability and traditional desktop security products are unaware of any resource contention issues that may
exist, the impact to the virtual desktops performance can be
frustrating for your end users.
26

And traditional desktop security products will normally scan
everything on a desktop computer, regardless of whether
a directory, file, user profile, or anything else has actually
changed since the last scan. Bulk scans require a lot of performance overhead versus intelligent scans that only run
when changes occur without necessarily having any real
security benefit.
In a VDI environment, the limitations of traditional desktop
security products can significantly impact the number of
users you can have accessing any one host VDI desktop or
application, which, in turn, limits the benefits you will achieve
from desktop virtualization.
Finding the Right Kind of

Security to Work with VDI
The bottom line is that security solutions need to be able to
adjust to the different virtual environments found in todays
organizations. With VDI, your security software must be able
to adapt to your computing environment, whether it is physical or virtual. This includes the ability to

Scan and protect against introduced threats with intelligent scanning mechanisms to avoid access delays for
VDI users

Scan only what has changed, or only scan files instead of
an entire desktop system, in order to reduce the demand
on shared resources and allow for greater VDI density
per host machine

Use intelligent protection to automatically maintain
system and desktop performance and access

Scan dormant virtual desktops on the VDI host machine

Protect the VDI host machines hypervisor
Chapter 3: Understanding Virtual Desktop Infrastructure (VDI) Security
27
These capabilities can make a huge difference in the usability

of a VDI environment, and thereby enable your organization
to connect a larger number of users to a VDI desktop or host
application. See the sidebar Trend Micro Deep Security protects VDI environments and reduces costs for an example of
how a large organization can achieve higher VDI density per
host machine and realize significant cost savings.
Managing Data Access

and Security with VDI
In a VDI environment, your organizations data is hosted on
your internal servers, which reduces your exposure to many
threats. For example, your data can only be viewed during a
user session, and cant be downloaded or saved to a users
local desktop. These features alone can greatly mitigate many
of the risks associated with the BYOD trend by effectively
eliminating data loss due to a lost or compromised device,
and greatly reducing the risk of internal theft of critical information. In the case of a hospital employee accessing patient
records from a tablet device, presented earlier in this chapter,
a VDI session within the tablet would ensure that no data is
ever stored on the device. The employee can easily access the
data directly from a server application where the data resides
and is protected by the hospitals various security systems.
VDI helps organizations meet various regulatory compliance
requirements, particularly provisions that require strict access
controls and data loss prevention to safeguard certain information. VDI also makes it easier to demonstrate compliance
for both internal and external audits. Finally, VDI can greatly
reduce the scope and expense of any electronic discovery
requests associated with subpoenas or legal holds, because
data is located on a known number of VDI host machines that
can be searched relatively easily, rather than scattered across
possibly hundreds or thousands of desktops in numerous geographic locations throughout the organization.
28
Using VDI in the Cloud

Many companies already using a hybrid computing mix have
the option to utilize cloud infrastructure for VDI deployment.
An example is when seasonal spikes require adding temporary staff. VDI in the cloud can help you quickly add resources
for temps while protecting your data. You can easily and cost
effectively provide access for temps while locking them to
specific applications, ensuring your data is safely stored, and
eliminating their ability to browse your network or keep and
store your data locally.
Trend Micro Deep Security protects VDI

environments and reduces costs
VDI is the fastest growing of all virtualization categories. Organizations
adopting VDI are looking for strong
desktop security with maximum
server density. This can be achieved
with an agentless approach to security, where server densities have
been shown to be between 60 and
200 percent better than with an
agent-based equivalent.
For example, an organization supporting 1,000 VDI desktops with a
legacy, agent-based security system
installed on each desktop can only
install approximately 50 VDI desktops per physical server (according
to a March 2012 Osterman Research
white paper). With Trend Micro Deep

Security, an organization can support approximately 80 VDI desktops
per physical server.
So by using Trend Micro Deep
Security, an organization would save
money on physical servers, VMware
licensing costs, data center costs
per physical server per year, and
ongoing maintenance costs of 30
percent of the initial investment in
physical servers, virtualization software, and security solutions.
Thus, using Trend Micro Deep
Security to protect the organizations
VDI environment saves a substantial
amount of cash over three years.
Chapter 4
Exploring Trend Micro

Virtual-Aware Security
Solutions
In This Chapter
Addressing the volume and sophistication of malware threats
Getting to know the Trend Micro Deep Security solution
Safeguarding physical, virtual, cloud, and hybrid environments
security best practice is to use security tools that are

designed for and appropriate to the environment being
protected. Yet, according to the Computer Security Institutes
20102011 Computer Crime and Security Survey, only 20 percent of the security tools in use today in virtual environments
are designed for those environments. In this chapter, you
learn about global threats and Trend Micros virtual-aware
security solutions, which were designed to protect virtual,
cloud, and hybrid computing environments.
Protecting Against
Global Threats
Todays threats come from every corner of the globe. Your
organization needs to deploy security solutions that have
the ability to effectively respond to threats no matter where
they originate. A comprehensive security solution must
have a global reach that can gather threat information from
30

anywhere, then quickly analyze and respond to it, as well as
provide you the capability to take any necessary and appropriate actions to protect your systems and network.
Examining the landscape

Changes to the threat landscape have occurred in two key
areas: volume and sophistication. Protecting your networks
and systems from all these threats requires more intelligent
and robust protection capabilities than traditional security
products can provide. An effective security solution must
provide constant and complete monitoring of all computing systems throughout your organization, rather than just
attempting to block threats at the edge of the network and its
various access points.
Increased volume
Today, more than 1,500 variants of malware threats are discovered every hour. This means that signature and pattern
files for traditional antimalware software that is regularly
updated cant possibly keep up and servers and endpoints are
increasingly at risk.
No matter what type of security system you use to protect
your physical or virtual computing platforms, if those systems
cant obtain timely information regarding new threats, your
entire computing environment will be at risk.
Much of the increased volume of malware comes from lowskill hackers (known as script kiddies) who actually buy or
rent ready-made malware kits, such as virus source code and
botnets, to jumpstart the creation of malware variants or to
quickly launch brute force attacks against networks.
Greater sophistication
The sophistication of modern threats has also increased.
Malware threats can now be targeted against particular operating environments, including virtual and cloud systems. Todays
modern threats exhibit advanced characteristics that include

New infection methods: Infection increasingly uses techniques such as phishing, social networking sites, and
drive-by-downloads. Infection uses methods such as SSL
encryption to evade traditional security solutions.
Chapter 4: Exploring Trend Micro Virtual-Aware Security Solutions
31

Persistence mechanisms: Rootkits, bootkits, backdoors,
and anti-AV are examples of malware programs commonly used to ensure that an attacker can continue infiltrating a system or network over an extended period of
time after it has been infected.

Stealthy communication techniques: Encryption, proxies, port hopping, and tunneling are techniques used to
maintain communications with other infected systems,
enable command and control of malware, and extract
valuable data from a targeted system or network.

Command-and-control functionality: This functionality
allows an attacker to control, manage, and update malware to achieve specific attack objectives.
Modern threats even sound more ominous! For example, an
advanced persistent threat (APT) is a type of targeted, sophisticated attack against an organization that takes place over
an extended period of time, sometimes many years, for the
purpose of stealing valuable and sensitive information. These
types of attacks are usually carried out by criminal organizations or rogue nation-states with vast computing and hacking
resources. Thus, you must defend against not only the
script kiddies, but also the professional cybercriminals and
cyberterrorists.
Taking a look at the Smart

Protection Network
Recognizing that the threat landscape has rapidly evolved
over the past decade, Trend Micro has developed proactive
and dynamic protection capabilities.
In 2008, Trend Micro created a Global Information System
(GIS) called the Smart Protection Network (SPN) to more
effectively address both the volume and sophistication of new
and evolving threats. More than a dozen global centers comprise the SPN and enable Trend Micro to discover and share
information regarding threats both via and to its security solutions, no matter where they come from.
This means that Trend Micro can instantaneously and globally share information about an attack from new malware
discovered anywhere in the world, without having to actually
32

download an updated signature file to protected devices. This
technique significantly reduces both the size and number
of files you need on your devices, and also means that if a
new threat is discovered on one of the more than 160 million
devices protected by Trend Micro solutions, critical threat
information can be almost instantaneously available to Trend
Micro customers around the world, thus providing protection
before systems and devices can be compromised. Forget zeroday protection thats zero-minute protection!
The SPN maintains a reputation database of e-mail, website,
and file sharing sources. If an e-mail, website, or file originates from a suspicious or known malicious source, the SPN
can prevent it from being accessed, downloaded, or opened,
and block the source. The SPN also actively looks for and
logs vulnerabilities and exploits, and analyzes the reputation
for mobile applications, because more and more malware is
delivered via mobile applications. In addition, Trend Micro
has over 1,200 researchers actively analyzing threats, tracing
and reviewing what these threats are trying to do, and sharing threat data with end users via the SPN. Trend Micro also
responds to calls from organizations that have discovered
or suspect new threats on their networks. After analyzing a
threat, Trend Micro can develop a signature file to detect and
block the threat for that organization, and for Trend Micros
entire global customer base, also via the SPN (see Figure 4-1).
Figure 4-1: Trend Micros SPN provides global threat intelligence against
new and existing malware threats.
33
Designing Security for

Virtual Environments
Traditional security products that are designed for physical
environments and arent virtual aware have limited effectiveness in virtual, cloud, and hybrid (a mix of physical, virtual,
and/or cloud) environments. These security products typically cant handle a high threat volume, or can be simply
bypassed in the case of security tools that must be deployed
on a physical network segment. Also, because of resource
contention issues (explained in Chapter 2), traditional security products that arent virtual-aware can create what is basically a self-inflicted denial-of-service attack by overwhelming
a virtual or cloud-based applications ability to respond to
user or other system requests. Loading individual systems
whether endpoints or servers, physical or virtual with large
threat signature files is simply ineffective against todays rapidly and constantly evolving threats.
To fully secure your computing environment, a security solution must protect both your systems and your data.
Trend Micro Deep Security is a virtual-aware, agent-based or
agentless security solution (see Figure 4-2) that protects both
systems and data. Deep Security has a modular design with a
set of key components that provide protection capabilities for
virtual and cloud environments, as well as traditional physical and mixed environments. Deep Securitys modular design
gives customers the ability to add individual components to
meet changing corporate and regulatory requirements, as
needed. These components include

Antimalware: Agent-based or agentless malware protection that leverages Trend Micros SPN (explained in the
Taking a look at the Smart Protection Network section)
to provide real-time protection against known and zeroday malware threats without large signature file downloads or compute-intensive system scans.

Application firewall: This module helps reduce a virtual
applications attack surface while monitoring the VM
for Denial of Service (DoS) attacks and reconnaissance
scans. The application firewall can also protect a newly
started VM (or dormant VM that is starting up).
34

Integrity monitoring: File integrity monitoring provides
the ability to manage access to specific directories and
files, and detect malicious or unauthorized changes to
directories, files, or even registry keys. Integrity monitoring can be deployed for a single VM application, perhaps
to protect specific data such as sensitive financial or
cardholder data or private health information.

Intrusion detection and intrusion prevention systems
(IDS/IPS): IDS/IPS can detect and block known and zeroday attacks that target system and software vulnerabilities. Deep Security leverages Trend Micros SPN to get
dynamic and instant updates on the reputation of specific URLs, such as a link in an e-mail or a document.

Logging: This component (available only as an agent
installed on individual VMs) provides unique capabilities
for gathering, alerting, and logging security-specific traffic, and optimizing the identification of important security issues that would often be buried in a traditional
log system.

Encryption: Encryption can provide full protection for
data, wherever its located. It also provides a policy
server to set rules for access to specific data and alert you
when unauthorized activity is detected. These capabilities reside in a system you control that also houses keys
to encrypt or decrypt data, with full audit capabilities
to help your organization meet a variety of compliance
rules. These functions permit safe utilization of cloud
computing because you have complete control of your
datas state and access.
Each of these Deep Security components can run on the individual VMs, as an agent, in a variety of virtual infrastructures
including VMware, Microsoft, and Citrix, to name a few.
In a VMware environment, Deep Security can run as an
agent-based solution installed on individual VMs, or as an
agentless, virtual appliance that runs directly on the physical
host machines in the virtual environment. Trend Micro and
VMware codeveloped a set of APIs in the VMware ecosystem.
Using these API links, the Deep Security virtual appliance has
complete visibility of all hypervisor and inter-VM traffic on the
35
physical host machine, allowing you to generally get a higher

density of VMs per physical host machine than is possible
with an agent-based solution.
Trend Micro Deep Security agents are virtual-aware and
therefore dont overwhelm computing resources in a virtual
environment so they dont starve application access to
those resources.
Figure 4-2: Trend Micro Deep Security agent-based and agentless,

virtual-aware solutions.
In a virtual environment, the hypervisor is a physical host

machines network each of the host machines VMs and
their applications communicate with and through the hypervisor. Inter-VM communications allow VMs to communicate
with other VMs (east-west traffic), as well as with the outside
world (north-south traffic). Deep packet inspection allows you
to look for anomalous behavior that can be an indicator of a
new threat or attack. For example, a DoS (denial of service)
attack that may be targeted against a specific application
perhaps an outward-facing application may cripple every
other VM and application on the physical host machine.
36

The capability to monitor and inspect inter-VM traffic so
that you can block threats to other VMs on a physical host
machine that may have originated from a compromised VM
on the same physical host is critical. To monitor threats in a
virtual environment, you need to monitor traffic going to and
from each VM via the hypervisor.
The only way to effectively monitor inter-VM traffic and react

to threats on a per-VM basis or on an entire physical host is
via an agent-based or agentless virtual security appliance that
also resides on the host machine.
Securing Every Aspect of Your

Computing Environment
Having purpose-designed security solutions for your virtual
and cloud environments is critical, but you also need to protect your physical environment, including servers, endpoints
(desktop and laptop PCs, tablets, and smartphones), and
certain applications. Every activity in a computing ecosystem today touches all kinds of computing platforms, travels
unknown paths, and requires security appropriate for those
devices, applications, and activities. To protect anything
(applications, systems, or data) in todays modern computing
environment, you must protect everything, though not necessarily at the same levels.
A data classification scheme helps an organization assign a
value to its information assets based on its sensitivity to loss
or disclosure. Such a scheme can also determine the appro priate level of protection. Data classification schemes may be
mandated for regulatory or other compliance requirements. It
is neither practical nor desirable to apply a single protection
standard to all of your organizations data.
Trend Micro Deep Security protects physical and virtual data
center environments, as well as private and public cloud
models and mixed physical/virtual/cloud environments (see
Figure 4-3). Trend Micro also offers Deep Security as a Service,
which provides an on-demand security model as another
option for organizations that use the public cloud for some or
all of their systems and applications.
37
Figure 4-3: Trend Micro Deep Security protects physical, virtual, private,
and public cloud environments, as well as hybrid environments.
Real savings and security with

virtual-aware solutions
When you deploy security solutions
that are specifically designed for
a particular environment, such as
virtualization, the payback measured in terms of utilization and
operational efficiency can more
than offset the cost of such a security solution. Some examples of these
savings include
Licensing: A virtual-aware security solution leverages capabilities of the virtual infrastructure,
such as resource management,
enabling you to increase the density of virtual machines (VMs) on
each host machine and potentially reducing your licensing

costs (for example, Windows
Server Datacenter Edition and
VMware per-processor licenses).
Hardware, physical space,
energy: Deploying more VMs on
each host machine can reduce
your need for additional server
hardware and your data center
footprint. When properly managed, a virtual infrastructure can
also reduce your energy costs,
such as power and cooling.
(continued)
38

(continued)
Management: Fewer physical

servers mean less management
overhead. Even in situations that
require deploying just one VM to
one host machine, the capability to manage all your VMs and
physical servers with the same
virtual-aware security tools
greatly simplifies the management of your entire data center.
It also reduces the risk of introducing additional threats or vulnerabilities due to configuration
errors resulting from complexity.
Cloud: As organizations increasingly move systems and business-critical applications to the
cloud, they must address the
clouds security challenges. It
isnt possible to deploy physical security appliances in the
cloud, so many organizations
must rely upon the cloud service
provider for their security needs.
This fact alone may lead many
organizations to delay the move
to the cloud or forego cloud initiatives altogether. However,

virtual-aware security solutions
which, by their nature, are themselves virtual can be deployed
in the cloud. In other words,
systems and applications in the
cloud can be managed with the
same security solutions used to
manage your virtual systems and
applications in the data center.
When organizations deploy virtualaware security solutions, theyre typically able to achieve consolidation
densities of VMs or VDI desktops as
high as three times more than is possible with traditional security tools.
This is obviously an easy measurement for a cost savings analysis,
and because virtual-aware security
solutions are more efficient than traditional security tools and designed
to be self-protecting, they eliminate
the vulnerabilities unique to virtual
environments that traditional security products cant address.
Chapter 5
Ten Important Capabilities

to Look For in a
Virtual-Aware Security
Solution
In This Chapter
Evaluating virtual-aware security solutions
ecuring virtual and cloud environments isnt as simple

as tweaking a few scan and update settings in traditional
antivirus/antimalware software. Such an approach doesnt
address the reality that virtual environments are very different from physical environments. To effectively deal with these
differences, you need to deploy security solutions that are
designed to work in virtual environments, rather than trying
to repurpose existing security software that is ineffective in
the virtual world.
Heres a checklist of key capabilities to look for in a virtualaware security solution:

Works in mixed environments. Operates in physical,
virtual, and cloud environments, using either an agent or
agentless installation.

Manages servers and desktops through a single pane-ofglass. Manages both servers and desktops, whether physical or virtual, through a single management console.
40

Automatically adjusts resource usage. Automatically
adjusts to the environment where it is deployed
particularly virtual environments so that performance
levels wont be compromised by a security solution.

Migrates with virtual systems. Security protections
dynamically migrate with VMs between physical host
machines or in the cloud.

Provides add-on capabilities as needed. Deploy only the
capabilities required for your environment and add capabilities as your security requirements evolve, without
having to redeploy or reconfigure your entire security
solution.

Protects dormant VMs. Dormant VMs can be started up
quickly in a virtual environment. If not properly scanned
and protected before being brought online, a dormant
VM can expose your entire virtual environment to security threats.

Logs relevant security information. A logging system
that is security specific, whether in a physical, virtual,
or cloud world, means your capability to have relevant
information on activity that may be related to a threat
provides more focus and less content to analyze.

Filters unpatched systems. Protects unpatched systems
against known vulnerabilities by putting a filter in place
to protect them. Also filters older systems that may no
longer be supported by the manufacturer or custom systems and applications with filters you can write to protect against a known vulnerability.

Implements minimum security configuration management rules and profiles. Automatically extends security
configuration management rules and profiles to new
hosts and their VMs, without having to reconfigure each
system as its started up. With a baseline security configuration established, systems that require additional
security safeguards can be dealt with more effectively
on an as-needed basis.

Meets regulatory requirements. Provides add-on
security modules designed to meet specific regulatory
requirements, such as PCI, in a virtual world.
Appendix
adware: Malware advertising programs that often appear as
pop-up banners or windows.
APT (advanced persistent threat): A sustained Internetborne attack usually perpetrated by a group with significant
resources, such as organized crime or a rogue nation-state.
authentication: The process of verifying the identity of a user,
computer, or service.
backdoor: Malware that allows an attacker to bypass authentication mechanisms to gain unauthorized access to a system
or application.
bootkit: Malware that is a variation of a rootkit, often used to
attack an encrypted hard disk.
bot: A target machine that is infected by malware and is part
of a botnet (also known as a zombie).
botnet: A broad network of bots working together.
Bring Your Own Device (BYOD): Allowing individual users to
use their personal smartphones, tablets, and other computing
devices in the workplace for both personal and business use.
consumerization: A current trend in which users increasingly
find personal technology and applications that are more
powerful or capable, more convenient, less expensive, quicker
to install and easier to use than corporate IT solutions. See
also BYOD.
data integrity: The accuracy and consistency of information
during its creation, transmission, and storage.
defense in depth: A strategy for achieving information
security by using multiple layers of defense.
42

hypervisor: The key component in a virtual infrastructure
platform layer that enables communication between virtual
machines and manages resource usage between the virtual
machines and the physical host machine.
intrusion detection system (IDS): A hardware appliance or
software agent that detects and reports on suspected network
or host intrusions.
intrusion prevention system (IPS): A hardware appliance or
software agent that detects and blocks suspected network or
host intrusions.
logic bomb: Malware that performs a malicious function when
a predetermined condition occurs, such as a specific date or
calculation.
malware: Malicious software or code that typically damages
or disables, takes control of, or steals information from a computer system. See also adware, backdoor, bootkit, logic bomb,
rootkit, spyware, Trojan horse, virus, and worm.
operating system environment (OSE): A server or desktop
operating system representing a complete computer system
and running in a virtual or physical environment.
phishing: Using social engineering techniques via e-mail to
trick users into providing personal information.
rootkit: Malware that provides privileged access to a computer, such as administrator or root-level permissions.
security agent (SA): A software component that is installed
on a server or desktop computer and performs a specific
security function, such as antimalware protection or intrusion
detection.
spyware: Malware that collects information about a users
Internet usage or private data.
threats: Events and conditions that have potential for
occurrence and if so constitute a risk to systems or data.
Trojan horse: Malware that masquerades as a legitimate
program, but actually performs other functions.
Appendix
43
virtual aware security: Security software that has built in

intelligence to tell it is running in a virtual environment and
can accommodate its operations such that the rest of the VM
applications will continue to have enough resources to perform as expected.
virtual desktop infrastructure (VDI): A desktop operating
system within a virtual machine that provides a virtual
desktop to end users from a centralized physical server.
virtual machine (VM): A software representation of a physical computer, such as a server or desktop computer, which
includes an operating system and applications. Also known
as a guest machine.
virus: Malware that embeds itself in another program, such as
an e-mail attachment, and requires an end-user action, such
as opening an attachment, to replicate itself.
vulnerability: The absence or weakness of a safeguard in a
system or application, that makes a threat potentially more
harmful or costly, more likely to occur, or likely to occur more
frequently.
worm: Malware that quickly replicates itself from computer
to computer across networks, without requiring any end-user
action.
44

Cloud Virtualization Security For Dummies East Custom

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Virtualization Security For Dummies East Custom

Uploaded by

Copyright:

Available Formats

These materials are the copyright of John Wiley & Sons, Inc.

Chapter 1: Exploring Virtual Environments . . . . . . . . . . . 5

Chapter 2: Virtual Server Security. . . . . . . . . . . . . . . . . . 13

Chapter 3: Understanding Virtual Desktop

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Chapter 4: Exploring Trend Micro Virtual-Aware

Chapter 5: Ten Important Capabilities to Look

irtualization technologies are being adopted today at a

Cloud & Virtualization Security For Dummies, Trend Micro Edition

About This Book

How This Book Is Organized

Icons Used in This Book

Cloud & Virtualization Security For Dummies, Trend Micro Edition

This icon explains the jargon beneath the jargon.

Where to Go from Here

he benefits of virtualization are compelling. Organizations

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Figure 1-1: A simplified view of a virtual computing environment.

Virtualization software runs on the physical host machine and

Chapter 1: Exploring Virtual Environments

What Are the Benefits

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Business Security Challenges

Chapter 1: Exploring Virtual Environments

prudence. For example, deploying a physical server can take

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Chapter 1: Exploring Virtual Environments

The rapid pace and constantly evolving nature of technology

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Cloud and Virtualization

Virtual Server Security

Security Challenges Specific

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Chapter 2: Virtual Server Security

Figure 2-1: An outward-facing VM can be used as a launch pad to attack

VMs communicate via the hypervisor for standard operations

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Figure 2-2: Traditional physical servers with individual applications and

Chapter 2: Virtual Server Security

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Figure 2-3: Traditional security agents designed for physical systems

Chapter 2: Virtual Server Security

physical server hardware on or off in a remote data center.

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Addressing Virtual Security

Chapter 2: Virtual Server Security

utilization on the physical host. In a virtual environment with

Figure 2-4: Virtual-aware security appliance (secure VM) installed in a

In addition to an agentless virtual appliance, a complete

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Addressing Data Protection

Looking for better VDI security

esktop virtualization has been on the rise over the past

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Understanding VDI Security

Chapter 3: Understanding Virtual Desktop Infrastructure (VDI) Security

Figure 3-1: Virtual desktops running in a VDI environment.

VDI isnt the only desktop virtualization technology available,

Cloud & Virtualization Security For Dummies, Trend Micro Edition

Finding the Right Kind of

Chapter 3: Understanding Virtual Desktop Infrastructure (VDI) Security

These capabilities can make a huge difference in the usability

Managing Data Access