Are security vendors prepared to deal with virtual machines? Probably not

Yesterday, I penned another blog that extolled the virtues of virtual machine (VM) technologies like VMware's namesake Workstation product.  For that specific entry, I talked about what happens when a virtual machine that was created on an AMD-based system is moved over to an Intel-based system.

Yesterday, I penned another blog that extolled the virtues of virtual machine (VM) technologies like VMware's namesake Workstation product.  For that specific entry, I talked about what happens when a virtual machine that was created on an AMD-based system is moved over to an Intel-based system.  In my case, the copy of Windows XP that was installed into that virtual machine detected the hardware change which in turn triggered Microsoft's Windows Product Activation routine (WPA).  To continue using that virtual machine, I had to re-validate that copy of Windows with Microsoft.  From WPA's point of view, significant changes in the hardware are a tell-tale clue that the end-user may be attempting to run a pirated copy of Windows. 

Virtual machines are probably not what Microsoft had in mind when it first came up with WPA technology.   For starters, virtual machines are most often used in corporate settings where organizations license Windows on a very different basis when compared to consumers and small businesses.  If someone is copying Windows in a corporate setting, there's a higher probability that the company's license allows them to do that.  Secondly, the pirated-copy scenario that WPA really addresses is the one where the alleged pirate is using a product like Symantec's Ghost to clone a PC's entire software environment and copy it to other computers.  The minor snafu here is that WPA could end up stopping some VM-based clones dead in their tracks. 

As of today, Microsoft's license to Windows is ill-suited to the implementation I've been talking about -- the one where end-users run multiple virtual machines on their computer in order to ensure that certain tasks never interfere with other tasks (for example, work vs. personal computing). For example, if you've set up 10 different virtual machines on your system and they were all cloned off the same master copy of Windows, technically speaking, you'd be in violation of Microsoft's license.  This is so even if those clones are never going to be copied to another system.  Things will be different for at least one of the six editions (announced today) of the next version of Windows (Vista).  Windows Vista Enterprise will include the express version of Microsoft's VirtualPC virtualization software.  VirtualPC is a competitor to VMware's VMware Workstation.  However, the Enterprise version of Vista will only be available to companies that have executed a Software Assurance contract or an Enterprise Agreement licensing plan with Microsoft.  

To the extent that enterprises use centralized desktop management and provisioning solutions (and many enterprises do), the virtual machines running "out there" on users' desktops will simply look like another desktop system that can be separately managed.  Other than the fact that the number of total systems that have to be managed goes up, this shouldn't be too big of a deal from a management perspective. Most centralized solutions scale pretty well.  But, what about those home or small business environments where people begin to realize the value of VM technology and start using it (especially as it becomes more pervasive in the hardware).   As much as I love to extol their virtues, use of VM technology could spiral into a security and management nightmare. 

The problem starts with the first system that gets carved into multiple virtual machines.  The technology is cool and it has some amazing benefits.  But for all intents and purposes, each VM is a distinctly separate instantiation of an operating system (separate from each other and separate from the OS that's running on the bare metal in non-virtual mode) that requires its own security software and updating scheme.  In other words, just because you're running anti-virus and anti-spyware solutions on the OS that's playing host to your virtual machines and just because you're keeping that OS up-to-date with the latest updates doesn't mean that your safe.  Each virtual machine has to be separately updated and each virtual machine has to have its own anti-virus and own anti-spyware.  In the "this is pretty cool" department, each virtual machine can also have entirely different personal firewall settings.  In other words, the challenges that go with managing a desktop or notebook with 10 virtual machines on it are pretty much the same as the challenges of running a local area network with 10 workstations on it.  And yes, there are centralized solutions that are designed to ease the management headaches for IT departments that have to watch over multiple systems, but those solutions are hardly designed or priced for end user usage.

Where this problem will really rear its ugly head is in the home environment.  Eventually, consumers will pick up on the virtues of VM technology.  Maybe they'll see my blogs.  Maybe Intel will begin an ad campaign that  gets users hooked on its Vanderpool virtualization technology for end user systems.  Maybe a friend will convince them.  Then what?  I'm imagining a home with three or four computers, each with a few VMs on them.  It isn't hard to imagine one person -- the techie in the house -- managing somewhere between 10 and 15 systems.  Right now, the security companies are doing very little to deal with this problem other than acknowledging the proliferation of systems under one household roof.  For example, Comcast allows its Internet customers up to seven copies of McAfee's security solutions for free (see Comcast's Magnificent Seven: A deal too good to pass up?).  But in an interview before he left McAfee, then president Gene Hodges agreed that certain spoils of victory will go to the security vendor that figures out how to turn the management of multiple home systems (from all perspectives; security and otherwise) into child's play and to do so at a reasonable price.  In addition, the solution will have to cover other devices as well (eg: PDAs).

Whatever solution that vendor comes up with will undoubtedly be good for VM environments as well.   Today, "that vendor" apparently doesn't exist.  OK, now I will get flooded with email from vendors (many of which I've never heard of) saying that they have the solution.  Spare me the email flood and take me out as the middleman.  Make your pitch using ZDNet's TalkBack feature below (in the comments area).  

Finally, you could also argue that it's the job of the VM technology maker -- in my case, that's VMware -- to come up with the management tools that turns this otherwise difficult task into child's play.  Yesterday, while talking to him about how the change in processor manufacturer triggered Microsoft's WPA routines, I asked VMware group product manager Srinivas Krishnamurtiff if his company had anything in the works.  His response was that he can't comment on unannounced products. In my 15 years of IT journalism, such code usually meant "probably not. "