Virtualization security: protecting unique IP
- 04 June, 2009 09:34
Moving to a nearly fully-virtualized infrastructure in 2008 made Joel Braverman a lot more confident in both the physical and digital IT infrastructure at his (relatively new) employer Universal Audio. As manager of IT and the guy responsible for security on that infrastructure-one that supports a company whose products are both expensive and almost entirely digital-it also made him extremely nervous, he says.
To understand what Universal Audio, in Scotts Valley, Calif. does, and its unique IT challenges, you first need to understand that for audiophiles, digital music doesn't quite match the "warm" quality that comes out of analog gear. Universal Audio is one of the leading companies selling digital products that emulate analog gear. And Universal's technology comes as close as any, and far closer than most, to the sound of the original, according to music industry reviewers.
"We sell the DSP boards, but we also do plug-ins that model the physical analog device and makes it sound 99.9 percent like what the original sounded like, even though it's running inside the computer," Braverman says. "One of the coolest things is one that sounds like the exact recording desk Jimi Hendrix made his recordings on. We sell that as a plug-in." Universal Audio also sells software to emulate the custom studio gear of famous audio designers.
Since it's all software, however, Universal Audio's tech makes a hot target for thieves.
"This industry has been struggling with hackers for 10, 15 years, and we're almost the only one whose products have not been cracked," Braverman says. "Our competitors' stuff still sells, but a lot of music that's based on plug-ins has been cracked. If you can get it for free, why would you buy it?"
From a DR Project to Almost Fully Virtualized, Fast UA is a relatively small company-60 employees, working on between 150 and 200 workstations. Audio engineers and coders user far more workstations per head than normal employees, or even normal programmers, Braverman notes.
Two years ago, when UA hired Braverman as manager of IS, its whole back-end infrastructure was running on a set of rack-mounted desktop PCs in an unsecured part of the company's manufacturing unit.
"They went down a lot, and they were just right there, where people could have come in and walked off with them," Braverman says. "We figured, since most of those machines weren't doing anything 90 percent of the time, we might as well virtualize them."
Braverman moved the IT gear to a new building with better physical security, then virtualized them in what was to be a carefully staged migration starting with a set of VMware ESX servers that mirrored the physical servers, as a disaster recovery solution.
The plan was to gradually migrate applications as the implementation proved itself, until all UA's production and Web servers were running on the VMware cluster with a SAN holding the data.
"What really happened is we started running things on the VM system right away, or pretty soon after we implemented them because it was so much easier to do the updates and reconfigurations on the VMS," Braverman says. "But we needed security products to protect the VMs. The virtual switches don't really offer that much protection and you can't see what's going on inside the servers."
The Virtual Switch Security Worry Braverman bumped up against one of the biggest security problems with virtual infrastructures, says Neil MacDonald, security and infrastructure analyst at Gartner. (See CIO.com's recent related story, Server Virtualization: Top Five Security Concerns for more background.)
Virtual switches bounce packets from one virtual server to another in exactly the same way physical switches do, but unless you think to put a virtual sniffer on one of them, it's almost impossible to tell what's going on inside one physical server supporting many virtual ones, MacDonald says.
That's a major problem for end-user companies because the alarms they have set up to notify them of intrusions from outside, or server-to-server links that violate security or compliance policies often don't work inside a virtual environment, he says.
"The ideal situation would be if physical security vendors had the same set of offerings for the virtual world and you could just opt for the environment you were supporting, but they've been really slow to do that," MacDonald says. "Juniper, Cisco, Microsoft, should all be in there. Instead it's Altor, Reflex, Catbird and some other companies that have a relatively low profile are selling for $2,000 something that might cost $20,000 in a physical form factor." (For more background on the main virtualization monitoring options, see Monitoring Virtual Infrastructure: Problem's Lack of Knowledge Not Tools".)
How UA Applied Catbird's Answer Third-party VM security companies are so little-known that Braverman hadn't even heard of Catbird until one of UA's engineers bumped into a Catbird employee in the parking lot of the office park they both share.
Catbird turned out to have the kind of VM firewall and intrusion detection system (IDS) Braverman sought. (For more detail on Catbird's technology approach, which the company updated in March, see the CIO.com article, Virtualization Security Firm Catbird Improves Platform.)
Installing Catbird gave UA virtual firewalls on each of its servers to help blockade the Web servers from the internal network, and to enforce security and usage policies inside the network. Its Intrusion Detection System (IDS), which is based on the open-source Snort, which is the gold standard in IDS, helped lock down content inside the VMs and set alarms to keep hackers out of UA's pool of IP as well.
"Here we're more concerned with protecting our intellectual property, so someone in the banking sector or whatever might have more security concerns than we do," Braverman says. "Essentially defending the borders was the main focus. We don't have enough staff to do all the nitty gritty and go through all the VMs to make sure they're all patched with the latest patches and there aren't any holes. This product notifies us of all the vulnerabilities our systems have; that's the biggest plus."
That's not a small concern, MacDonald says. Configuration errors remain the biggest source of vulnerabilities in virtual machines, and precious few resources exits to help security managers deal with the situation.
"Microsoft and VMware have put out guidelines, but that's pretty thin," MacDonald says. "Most vulnerabilities are introduced because someone makes a mistake. VMs have this opaqueness in the environment so that if you don't have the basics done right, you're wide open."
Catbird's vulnerability assessment can help, as can tools from Configuresoft and Tripwire that are designed to automate and lock down VM configurations, McDonald says. (Last week EMC announced it had acquired Configuresoft to advance its efforts to automate secure configurations in virtual environments.)
After going through initial assessments for UA, Braverman says, he actually had to un-virtualize some of the servers; the ERP software that the company uses doesn't support VMs, and other servers held data that UA execs decided was too sensitive to put on a virtual network of six physical servers and 20 or so VMs.
Braverman declines to say how much he spent with his Catbird security investment, but did justify the cost as a necessary addition to what was, overall, a cost-saving, productivity-raising project for the business.
Braverman also learned about one ironic side effect of highly-virtualized environments. "Virtualization let us build a redundant network that's firewalled and load-balanced with switches and routers," Braverman says. "Now we get complaints when something does go down, even though it doesn't happen often. When things went down all the time, no one complained because they were used to it."
All About Universal Audio: Famous Sounds
Universal Audio, in Scotts Valley, Calif. was launched in the 1950's by Bill Putnam Sr., a legendary sound engineer who was awarded a posthumous Grammy for technical achievement for the sound gear he invented, modified or tweaked during years of recording with Frank Sinatra, Nat King Cole, Ella Fitzgerald and other leading musicians. His LA-2A audio compresser and 1176 amplifier are still in wide use in professional recording studios.
Putnam's two sons re-launched the company after his death in 1989 with the goal of recreating in the digital world the "warm" sounds and elaborate mix techniques developed by their father and other audio gurus during the golden age of analog audio recording.
In addition to making digital versions of analog gear that sound engineers talk about in the same way violinists do famous Stradiverii, Universal makes Digital Sound Processing (DSP) boards and emulation software. Most of these are designed to work with digital mixing software such as Apple's Logic or Digidesign's Pro Tools, which even pro recording engineers use to produce music with more flexibility and far less equipment than Putnam Sr. had to manage in the old days.
In a 2007 buyers' guide to emulation software, audio-engineer-magazine Mix described legendary recording studios as being packed with a tonnage of equalizers, compressors and effect boxes in "heat-shooting rack units that sprinkled hit record 'fairy dust' over everything they touched (provided the engineer knew the right way to tweak the knobs)."
Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.