VMWorld 2008: Forecast For VMware? Cloudy…Weep For Security?
This post was written prior to the opening of the Partner Day/Technology Exchange, based solely upon information that is publicly available. No NDA's were harmed during the making of this blog…
So now that I can talk about it outside of the embargo, VMware is announcing extensions to its product roadmap and product marketing to deliver what it calls its "virtual datacenter OS:"
VMware's comprehensive roadmap of groundbreaking new products expand its flagship VMware Infrastructure suite into a virtual datacenter OS. The virtual datacenter OS addresses customers’ needs for flexibility, speed, resiliency and efficiency by transforming the datacenter into an “internal cloud” – an elastic, shared, self- managing and self-healing utility that can federate with external clouds of computing capacity freeing IT from the constraints of static hardware-mapped applications. The virtual datacenter OS guarantees appropriate levels of availability, security and scalability to all applications independent of hardware and location.
The components that make up the VMware's virtual datacenter OS are:
- Application vServices guarantee the appropriate levels of availability, security and scalability to all applications independent of hardware and location.
- Infrastructure vServices subtract, aggregate and allocate on-premise servers, storage and network for maximum infrastructure efficiency.
- Cloud vServices federate the on-premise infrastructure with third party cloud infrastructure.
- Management vServices allow you to proactively manage the virtual datacenter OS and the applications running on it.
Each of these components have service/product definitions below them.
While it's exciting to see VMware's strategy around its version of the datacenter OS, it's going to be a bumpy ride as we continue to see how Microsoft, Cisco and VMware all interact and how these roadmaps align — or don't.
Remember, despite how they play nice, each has their own bottom line to watch and it's every man for himself.
It's quite clear we're going to have some very interesting security challenges bubbling up to the surface; we barely have our arms around what we might call virtualization v1.0 — we've a lack of maturity in solutions, operations, visibility and security and we're pulling the trigger on what's sure to be a very contentious security model…or lack thereof.
In the vApplication services, there is a direct call-out titled "Security" in which VMware's ESX 3i's size is touted as it's current security feature (rolleyes) and in 2009 we see the following:
-
VMware VMsafe provides x-ray visibility into virtual machine resources from the vantage point of the hypervisor, making it possible to monitor every aspect of the execution of the system and stop previously undetectable viruses, rootkits and malware before they can infect a system
-
Checkpoint, IBM, McAfee, Radware, TrendMicro and are announcing their plans to deliver VMSafe –integrated products in 2009 that provide superior protection to virtual machines than possible with physical machines or other virtualization solutions
There's nothing new here, except the dependence upon VMsafe, ISV's and virtual appliances…I think you know how I feel about that.
In line with my posts regarding the Cisco vSwitch for ESX (what I'm calling the cSwitch,) the "Infrastructure vServices" component hints at the development of three major investment points: vCompute, vNetwork and vStorage.
In vNetwork, you'll notice the 2009 arrival of the following three elements which are very interesting, indeed:
- Distributed Switch simplifies the setup and change of virtual machine networking
- Network VMotion enables network statistics and history to travel with a virtual machine as it moves from host to host for better monitoring and security
- Third party virtual switches plug into virtual networks and deliver value added network monitoring, security and QoS
I'll be interested to see what distributed networking actually means — there's a session today on that, but coupled with the cSwitch, I wonder if it means more than just plugging into virtualcenter/VFrame for management.
Let's not forget how some of the elements in vCompute will effect networking and security such as VMDirect which provides "intelligent" VMM bypass and allow direct access from the VM's…all in the name of performance. I wrote about that here a couple of days ago.
It looks as though we might see some policy extensions to afford affinity such that policies travel with the VM!?
The notion of vCloud is being desrbied as the notion of portability, mobility and supportability of applications that can be developed and deployed inside an enterprises' "internal cloud" and then handed off to an "external cloud" providers service offerings. It's really the "infrastructureless infrastructure" play.
One thing that immediately comes to mind when I hear words "federation" — as I assume it might to any security professionals ears — is the issues surrounding exposure of AAA (authentication, authorization and accounting) between internal and external credential stores and how this intersects with SOA environments.
As more details come to light, I'll be adding my thoughts about where (if at all) security really plays into this evolving strategy.
Gotta shower and get to the con.
/Hoff
Hey thanks for this post…good stuff.
FYI the "distributed switch" link is broken. Here's the corrected link: http://download3.vmware.com/vdcos/demos/DVS_Demo_…