With many IT departments moving their infrastructure to the cloud, security-related concerns due to a shared environment have become increasingly prominent. While open source virtualization has always been seen as a cost-effective alternative to proprietary virtualization platforms, new management tools and capabilities have also made it an effective and secure enterprise deployment option. Join us for an overview of KVM security and its use in virtualized, multi-tenant cloud scenarios. We'll examine how open source virtualization leverages SE Linux and its tight integration with the Linux kernel to provide a secure computing environment for both end-users and service providers.
Organizations of all sizes have identified the benefits of cloud-based computing, whether it's implementing a private or hybrid cloud on their own or accessing a public cloud through a service provider. Virtualization, a key component for building secure cloud environments, offers many advantages, including higher machine efficiency due to increased utilization, energy savings, and the flexibility to build or destroy virtual machines (VMs) on demand to meet changing organizational needs.
Choosing open-source virtualization over proprietary alternatives can significantly increase savings. However, an open-source Linux Kernel-based virtual machine (KVM) offers several benefits to organizations beyond just cost savings. These benefits include security, reliability, availability, performance, and scalability. In this white paper, we'll look at the relationship between open-source virtualization and the cloud, and explore the security aspects of KVM hypervisor technology, especially in relation to how it leverages SELinux and related capabilities for secure public, private, and hybrid cloud performance.
Virtualization offers the ability to emulate hardware to run multiple operating systems (OSs) on a single computer. It offers a level of efficiency and scalability that makes the complex processing of the cloud possible. One of the reasons why virtualization has proven to be so cost-effective is that it can be implemented on industrystandard x86 system hardware using on-demand, high-capacity networks.
In a virtualized environment, the hypervisor, or virtual machine monitor (VMM), is the software that virtualizes the hardware and provides isolation between the OS processes, or "guests." Without the strict controls put in place by the hypervisor, guests could violate and bypass host security policy, intercept unauthorized client data, and initiate or become the target of security attacks.
In addition, virtual machiones (VMs) require the same kinds of precautions as physical machines, such as applying patches, installing anti-viral protocols, performing security fixes, and providing firewall protection. Hypervisors are designed to manage contention between processes that compete for resources, and they provide the maximum performance possible for each guest VM.
In terms of hypervisor categories, "bare-metal" refers to a hypervisor running directly on the hardware, as opposed to a "hosted" hypervisor that runs within the OS. Further classification groups hypervisors according to types. For example, a Type 1 hypervisor translates physical resources to virtual only once, and a Type 2 hypervisor makes that translation twice.
The capabilities and differences between hypervisor types are often debated. In general, a Type 1 hypervisor controls the hardware and, therefore, manages how resources are allocated to VMs. A Type 2 hypervisor runs on top of another OS (e.g., Windows) and depends on the resource scheduling of that OS. Thus the hypervisor's control is somewhat limited by the OS.
Having efficient CPU control and resource allocation enables the kinds of processing levels that make cloud computing possible. Companies employ virtualization to achieve these higher levels of resource functioning, and cloud providers use virtualization for the same reasons.
One example is web content management provider eZ Systems. The company employs Red Hat Enterprise Linux (RHEL) with KVM along with the open-source elastic cloud, Ixonos, to deliver its management platform and Software-as-a-Service (Saas) features.
eZ Systems found that with the open, hybrid approach of Red Hat and Ixonos, it could provide its customers with the full functionality found in on-premise solutions and the same level of security offered by proprietary alternatives.
For organizations, the cloud's per-use approach provides tangible relief from hardware or software investments by offering a pay-for-service model. The benefits include greater resource access, dynamic scaling, and improved costs, along with the ease of automated management for resources and performance.
Companies adopt cloud computing to reduce infrastructure overhead, adjust service levels to meet changing needs, and to quickly deliver applications. However, with these advantages come certain limitations, especially in relation to security.
Multi-tenant infrastructures typically offer scaled performance and services based on shared resources, including databases, other applications, and OSs. For some organizations, this leaves them open to a variety of threats both from inside the firewall, as in the case of a private cloud, and from outside.
One example of a company that employs a comprehensive open-source solution is cloud provider Colosseum Online. The company uses both Red Hat Enterprise Virtualization (RHEV) and RHEL KVM not only for its core infrastructure, but also for its cloud platform, which offers IaaS and other services.
RHEV enables the Colosseum IT team to migrate all workloads and specific hypervisors offline for software or hardware updates. Such control extends to security patches, bug fixes, and related updates. It represents a degree of security management and granularity unique to KVM.
No comments:
Post a Comment