Virtualization has long been used to wring efficiency out of over-sized, under-used systems, but isolating applications and operating systems from the underlying hardware also produces immense flexibility that cloud services like AWS, Azure and Google Cloud exploit to deliver infrastructure on demand. Yet virtualization has become instrumental to solving the most vexing and serious problem facing IT providers and users: security. The trend towards virtualization-enhanced security arguably started last year when VMware VMware updated its network virtualization product, NSX, to support micro-segmentation by stressing its security applications and advantages. But the use of virtualization to create precise zones of protection isn’t limited to the network as Microsoft and Bromium recently demonstrated in announcing support for the latter’s micro-virtualization technology in Windows 10.
The essence of virtualization-enhanced security is the ability to arbitrarily shrink the OS and network attack surface of an application to the point that it is completely isolated from everything else on a system. I covered this last year with the NSX rollout. As I detail in this column, unlike traditional VMs that run with OS-level granularity, Bromium has developed a microvisor, a lightweight, highly secure hypervisor, that automatically creates a new micro-VM for every task, which can be a browser tab, media stream, Word document or cloud file share, on a system. In that sense, they resemble Docker containers, but unlike software-based application isolation, micro-VMs exploit hardware security features like Intel VT to protect the underlying OS, network stack and peripherals.
The Microsoft announcement ensures that Bromium can be easily and seamlessly integrated with Windows 10 clients and management systems. Crosby is encouraged that Microsoft is adopting a security architecture in which virtualization is a key element and hearing him describe it, Windows 10 plus Bromium will be the most secure, bulletproof client to date. Yet Microsoft had already embraced virtualization as a security tactic. Windows 10 and upcoming server releases incorporate hardware-enforced system sandbox called Virtual Secure Mode (VSM) to protect key parts of the OS, including security tokens and OS boot code, from attack.
Read on to understand the beauty of micro-virtualization, whether applied to a software task or network segment, namely its software-enabled granularity and how network micro-segementation fits into the picture. Indeed, the combination of system and network micro-virtualization techniques may have created the Goldilocks Zone: an ideal mix of application isolation, situational awareness and hardware-reinforced security.