Virtual machine isolation technology is a good strategy to effectively prevent viruses from spreading to the entire cloud environment. Ed Moyle explains what businesses need to know about isolation technologies.

Joseph Lister is the father of modern surgery, best known for his pioneering contributions to antiseptic surgical methods. Beginning in 1865, Lister began applying phenol and carbolic acid to wounds, instruments, and surgeons' wear.

One of the interesting things about Lister's story is that the medical establishment wasn't ready to accept changes to Lister's technical requirements. For example, surgical instruments of the time often contained porous materials, such as wood, which could induce disease; and clothing, including gloves, that were often reused during surgical procedures. While Lister's approach is groundbreaking and leads directly to better outcomes for patients, the reality is rather unforgiving; achieving the best results requires detailed investigation, transformation, and cultural reorientation.

In today's security world, Lister's approach can be likened to virtual machine (VM) isolation techniques—using segmentation and sandboxing to control cloud risk. For example, in the 2016 Black Hat conference keynote, White Ops co-founder Dan Kaminsky outlined microsandboxing technology, called Autoclave, which is designed to confine applications between systems and system components that run externally. mutual infection. The point of the technology is to create an isolated, controlled environment in which critical, security-related tasks can be performed.

Also, leveraging the VM isolation strategy of a containerized platform such as Docker or Rocket, it is more commonly used for cloud security purposes in addition to its operational benefits. Since containerization technology minimizes manual configuration changes, including one-time changes, containers can be used to minimize changes. It can also be used as a strategy to rationalize patches and introduce additional segmentation into running applications.

Finally, software-defined perimeter (SDP) and micro-segmentation technologies have emerged as options to help introduce virtual machine isolation in cloud environments. SDP is capable of creating a "black cloud," which is a virtual perimeter network that can be extended into cloud environments such as infrastructure-as-a-service. This enables the network within an organization to extend into a cloud environment.

Micro-segmentation at the network layer enables organizations to assign security policies to specific workloads, and the policies can be enforced anywhere in the ecosystem—including connectivity, while security managers can manage the operation of security tools such as intrusions Detection system or malware and vulnerability scanning.

For Enterprises, VM Isolation Is Possible

These virtual machine isolation methods are not equivalent in any way; they differ in scope and implementation. That said, these virtual machine isolation methods have a few things in common: First, they all help mitigate certain types of threats that arise in cloud environments. Second, in the same way that Lister's method needs to collect data, the same goes for these VM isolation methods. That said, there is no simple migration from a traditional, non-isolated approach to these VM isolation models. Currently, none of the major vendors support Autoclave, Kaminsky noted.

Over the years, we have seen slow and limited adoption of SDP; and as enterprises prioritize deployments and data centers over security purposes, containers are often deployed. So, is this a real architectural option for organizations that want to leverage virtual machine isolation technology as a security measure? Of course it is. But the premise is that if the organization is ready and has done the relevant investigation in advance.

With this in mind, what should organizations do if they want to explore whether these approaches are correct? What do organizations that want to adopt these strategies need?

First and foremost, organizations adopt this strategy by recognizing the complexities of any VM isolation strategy. For example, you can know where your strengths are, what system components and applications do, and how they interact with each other. This is true whether you choose VM isolation or segmentation. For example, without understanding how these components work together, an organization cannot randomly isolate multiple layers of application components, much less expect applications to function efficiently.

It's important that the organization understands the applications involved - how they communicate, their canonical operations and what are the key pieces that you want to isolate. If you don't understand any of these at the moment, or if there's a big gap in your understanding, here's a remedy before going down this road.

Likewise, implementing a virtual machine isolation strategy means that the organization already understands the risk profile and landscape of wanting to extend isolation techniques to workloads, applications, and systems. There may also be additional (isolation-related) complexity, and you're dealing with less sensitive applications or systems with less risk. That said, without a full understanding of the risks and threats these applications may be exposed to, it can be difficult to decide what needs to be quarantined.

Finally, it is important to work on isolation of virtual machines for the long term. Remember that environments are not static, environments change frequently to respond to new usage patterns, and changes and updates can occur depending on how they are used, business needs, architectural changes, and many other reasons. Spending time and effort in creating a virtual machine isolation model will only lead the virtual machine isolation model to an unknown, uncontrolled state.