Академический Документы
Профессиональный Документы
Культура Документы
SPON
sponsored by
sponsored by
Osterman Research, Inc.
P.O. Box 1058 Black Diamond, Washington 98010-1058 USA
Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com
www.ostermanresearch.com twitter.com/mosterman
Executive Summary
There are two important trends occurring in the security space that every organization must
address:
The bottom line is that a) security must improve and b) it must operate more efficiently in a
virtualized infrastructure. To accomplish these goals, the ability to deploy agentless security to
the various virtual machines (VMs) on a host physical server can have dramatic impacts on IT
staff efficiency and operational costs, while maintaining a high level of security against the
prevailing threat environment.
KEY TAKEAWAYS
Osterman Research undertook a research program to understand how an agentless security
architecture, as provided by Trend Micro Deep Security, performs among a variety of its
customers and compares to businesses using traditional agent-based security. Our goal was to
understand what customers thought of Deep Security, to determine if it improved operational
efficiency, and to determine if it helped organizations to address their security requirements in a
virtualized environment. Our high-level findings from the research are summarized as follows:
The wide range of server security capabilities from anti-virus to intrusion prevention to
integrity monitoring that are built into Deep Security enable a lower total cost of ownership
by providing security features and functions under a single umbrella from one vendor.
The Deep Security agentless security architecture enables faster provisioning of security
capabilities on new VMs, as well as easier ongoing maintenance.
The agentless virtual patching capabilities of Deep Security reduces the cost and complexity
of keeping systems up to date on the latest patches, allowing organizations to roll out
patches on a more scheduled and systematic basis.
Performance
VMs can take full advantage of the performance of servers to provide a better backend
experience for services like email or CRM, as well as a better desktop experience in virtual
desktop interface (VDI) environments.
Agility
Virtualization permits more rapid deployment, faster recovery, easier and more flexible
assignment of computing resources to specific tasks, and other advantages, making IT
departments and organizations better able to respond to planned and unplanned events.
Not only must IT maintain the security of the physical server on which the VMs are
deployed, but they must maintain security on each of the VMs, as well. This adds to ITs
workload and increases the threat exposure for a network.
With traditional security, scans or updates are often initiated simultaneously across all VMs
on a host, causing resource contention and performance degradation. Some vendors
suggest randomization or grouping in virtual environments to try to avoid these issues.
However, randomization can take an excessive amount of time to run through a complete
scan or update and is not designed to avoid times of high system usage, while grouping
does not account for the dynamic nature of VMs, requiring reconfiguration if VMs are
migrated or cloned.
VMs are much more subject than physical servers to be out of date and therefore not
updated with the most recent security patches and pattern updates. VMs that lie dormant
for long periods and so are not patched like physical servers or continually active VMs
are quite common in some organizations, such as when specific VM configurations are
created to satisfy particular types of testing or for specific applications and are activated
only occasionally. When these machines are reactivated, they are highly vulnerable to
threats that have already been patched on other VMs and so pose a significant security
threat until they are brought up to date. For example, Intel recommends that Care must
be taken to apply in a timely fashion security patches and configuration changes required by
policy to all VMs, including those that are not running.1
Blind spots can be created when using traditional network security appliances because they
are unable to see the communication between VMs on the same host unless all
communications are routed outside the host machine to this separate appliance. However,
this security configuration introduces significant time lags.
Traditional security models using Security Information and Event Management (SIEM)
systems are not as useful in a VM environment because these systems cannot see inside
VMs.
Other security challenges include: inter-VM traffic which can lead to attacks between VMs
on the same host; hypervisor compromises, such as hyperjacking or guest VM escape; and
mixed trust level workloads in which VMs with high-risk applications might be housed next
to VMs with critical applications and data.
In short, while virtualization offers a number of advantages, it opens up a new set of security
threats that do not exist or are addressed with a different approach in the world of physical
servers.
http://communities.intel.com/servlet/JiveServlet/previewBody/3833-102-1-6269/VT%20Security%20Whitepaper_final.pdf
Agent-based security installed on each VM does not get around the problem of dormant
machines with out-of-date security being reactivated and therefore becoming a security
threat until they are brought up to date. Properly architected agentless security systems,
on the other hand, can coordinate security updates across active, dormant, cloned, and
reactivated VMs, ensuring that they always have up-to-date security.
Agentless security requires much less virtual system resources (CPU, memory and disk)
compared to traditional agent-based solutions on each VM. Resource-intensive operations,
such as full system scans, are run from the separate security virtual appliance. And
coordinating and staggering scans across guest VMs helps to preserve resources, avoiding
resource contention issues, such as anti-virus storms. This results not only in better
performance of the physical host on which the VMs run, but also much higher VM density
better supporting one of the primary benefits of virtualization.
To understand the before picture in these organizations: how their security infrastructure
was managed prior to the deployment of Deep Security and what prompted these
organizations to seek a more comprehensive and easier-to-manage server security
capability.
To understand the after picture: how Deep Security has helped organizations to
accomplish their security objectives and to determine if these organizations expectations
have been met.
The interviews for this white paper were conducted during August and September 2011.
TABLE 1
Sample Anticipated Savings in Initial Install/Setup Time with Deep Security
Agent-Based
Deep
Activity
Security
Security
Install/setup time for agent-based AV on email servers
44 min
Install/setup time for an agent-based host firewall
38 min
Install/setup time for agent-based host IDS/IPS
40 min
53 min
Install/setup time for agent-based file-integrity monitoring
32 min
Install/setup time for agent-based log inspection
28 min
TOTAL MINUTES REQUIRED PER SERVER
182 min
53 min
SERVERS DEPLOYED PER YEAR*
20
SALARY FOR IT LABOR ($80,000/year)
$38.46/hour
TOTAL COST
$2,333
$679
INITIAL INSTALL/SETUP SAVINGS WITH DEEP SECURITY
$1,654
* Note that these savings are based on a conservative estimate of 20 servers deployed per year.
Many organizations will have considerably more servers, which will result in higher savings.
Our research found that provisioning with Deep Security requires little or no extra time per
new VM, offering substantial savings over what organizations have found in their previous
security environments. Below are examples of how quickly organizations were able to
provision new VMs when not hindered by their security solutions:
o
A Canadian firm found that provisioning a new VM requires only two minutes compared
to 15 minutes with their previous security solution.
A Turkish steel manufacturer can provision a new VM in less than five minutes.
A US food processing company requires only 2-3 minutes to provision on a new VM.
The reduced amount of time for provisioning can result in significant cost savings for an
organization. For example, lets assume that 200 new VMs will be configured each quarter
and, using the Canadian firms experience, this will result in a total time investment per
quarter of six hours 40 minutes (200 machines x 2 minutes per machine). With their
previous security solution, this would have required 50 hours (200 machines x 15 minutes
per machine). Assuming a fully burdened annual salary for an IT staff member of $80,000,
this translates to an annual cost savings of $6,667 and 173 IT staff-hours a significant
savings for a single aspect of managing VMs. This data is converted into savings per 1,000
users in the table below.
Moreover, and almost without exception, the companies we interviewed told us that it is
easier to provide ongoing management for agentless security on existing VMs with Deep
Security, resulting in further cost savings. Sample anticipated savings from Deep Security in
terms of the time required for ongoing management is shown in the following table.
TABLE 2
Sample Anticipated Savings in Ongoing Management with Deep Security
Calculations per 1,000 Users
Activity
Provisioning of new VMs introduced after initial install in hours per
month per 1,000 users
Reconfiguration of security due to VM migration and load balancing
in hours per month per 1,000 users
Manual administration of pattern updates in hours per month per
1,000 users
TOTAL HOURS REQUIRED PER YEAR PER 1,000 USERS
SALARY FOR IT LABOR ($80,000/year)
TOTAL COST PER 1,000 USERS
ANNUAL MANAGEMENT SAVINGS WITH DEEP SECURITY
Agent-Based
Security
Deep
Security
5.8
0.8
6.8
0.9
2.6
0.3
182.4
24.0
$38.46/hour
$7,015
$923
$6,092
brought back online the longer it is offline, the more vulnerable it is. However, with a
dedicated security appliance, virtual patching can be applied to active, dormant, cloned or
reactivated virtual machines. Virtual patching shields vulnerabilities before they can be
exploited. This eliminates emergency patching, frequent patch cycles, and costly system
downtime, saving on administrative time and costs and protecting critical systems,
applications, and data.
Our research found that patching using Deep Security is generally easier when compared to
previous environments. For example, one interview subject told us, client patch updates
[in their previous environment] were not as streamlined as with Deep Security. Another
interviewee told us that the virtual patching in Deep Security, has been the single biggest
benefit they have experienced with the solution. With their normal patch process in
Windows, they had to schedule downtime to perform the patching, typically between
2:00am and 4:00am on a Sunday morning. Now, IT simply sets up the patch and runs it
whenever its convenient, perhaps every 90 days. This can result in enormous revenue
savings, such as in the case of a retailer that is selling products through its Web site on a
24x7 basis.
Organizations can spend up to one third of their time on patch management in conventional
environments, including patching servers, desktops, laptops, and other endpoint devices.
Add this to costly downtime, and patching in conventional environments can be very
expensive. Instead, virtual patching with Deep Security can save organizations a
considerable amount while also ensuring that their critical systems, applications, and data
remain safe.
Improved VM density
Another important benefit of Deep Security is its ability to provide higher VM density. For
example, one interviewee told us the following about their VDI efforts, our primary reason
for moving to Deep Security was to increase our VM guest density per ESX host. We went
from 50 to 80 guest VMs per host, which essentially paid for the upgradeand gave us
better performance than using traditional agent-based AV for the VMs.
The increase in machine density is one of the most important benefits of Deep Security.
Using the example above going from 50 to 80 VDI images per host the cost savings
provided by the increase in density alone would be 35%, as shown in the table below.
The following table shows a sample of the savings that can be achieved with VDI density
improvements based on that achieved by a Deep Security customer. Potentially higher
savings can be attained depending on a companys VDI deployment. And additional VM
density improvements can be reached with server deployments in addition to VDI.
TABLE 3
Anticipated Savings through VM Density Improvement for VDI Efforts
Activity
Number of VMs supported per host
Total VMs
Total physical hosts required
CAPEX cost per physical host (2 CPU, 2 Core)*
OPEX cost per physical host per year (power, cooling, and rack space per 2
CPU 2 Core)*
TOTAL CAPEX COST OVER THREE YEARS
TOTAL OPEX COST OVER THREE YEARS
TOTAL THREE-YEAR COST
TOTAL THREE-YEAR SAVINGS FROM IMPROVED VM DENSITY
THREE-YEAR SAVINGS FROM IMPROVED DENSITY PER VM
* The CAPEX and OPEX cost estimates are based on figures from VMware.
Agent-Based
Deep
Security
Security
50
80
1,000
20
13
$8,954
$8,954
$1,050
$1,050
$179,080
$116,402
$63,000
$40,950
$242,080
$157,352
$84,728
$84.73
Initial deployment
Patching
VM density
Agent-Based Security
Variable. More time is needed when
several point products are installed
across VMs.
Can be time-consuming, particularly
in environments with large numbers
of VMs.
Slow, requires scheduled downtime
to perform patching. Requires
significant IT effort to accomplish.
Networks are vulnerable to security
threats during gap created between
VM instantiation and patches. Can
spike server resources.
Modest because of significant
processor horsepower required.
Agentless Security
Can require several hours of effort,
largely to correct corruption and
other problems in the previous
environment, but saves time with
multiple security modules integrated
into one solution.
Very fast: as little as 2-3 minutes per
VM.
Very fast, can be accomplished with
no downtime. Little IT effort
required to accomplish. No gaps
exist when dormant VMs are
activated.
Much higher because processors do
not have to run multiple security
agents on each guest VM.
8
We would absolutely recommend Deep Security we dont know of any other products
that can provide integrated server security.
Summary
Deep Security is a comprehensive package of security tools that offers a wide range of features,
functions and deployment models. Our research with Deep Security customers clearly indicates
that it makes security provisioning on VMs easier and faster, makes patching simpler, improves
VM density, and simplifies management. These benefits result in lower overall security costs
and dramatic improvements in IT staff efficiency.
2012 Osterman Research, Inc.
10
Appendix
CURRENT ENVIRONMENTS PROTECTED WITH DEEP SECURITY
The infrastructures about which we interviewed were varied as shown by the following
examples:
TABLE A
Sample Organizations Interviewed for the Research
Organization
Healthcare company in the southeast US
Environment
33 physical VMware ESX host servers running 431 virtual
servers, 4,000 PCs, Windows 7 virtual desktop being rolled
out at physician sites
Using Deep Security primarily to meet requirements for file
integrity monitoring and host-based intrusion protection in a
heavily regulated environment
Operating 45 VMs on three VMware ESX host servers
Running 60+ VMs in a VMware vSphere 4 cluster with four
hosts
Running 10 VMs
Running 800 virtual desktops on 10 physical VMware ESX
host servers
The environments about which we interviewed ranged from small server deployments to large
datacenters. They were quite heterogeneous and are using a number of other solutions beyond
those offered by Trend Micro.
11