Traditional anti-malware products have suffered from some fundamental flaws that limit their effectiveness. First of all, relying on signatures is, by definition, a reactive approach; there cannot be a signature until the malware exists. Secondly, it is impossible to guarantee detection of malware running with root privileges when the detection system is running at the same privilege level. In other words, if a rootkit is running within the supervisor, who’s supervising the supervisor?
That the threat landscape has changed is well-known. The most important shift has been moving from thrill-seeking weekend warriors to a range of hackers with a variety of motives, ranging from disgruntled employees, to political activists, to profit-driven professional hacking organizations. This shift has directed an evolution of attack vectors. While the “same-old” social facilitators hold true, the quality of the malware has changed. No longer can we expect loud, malicious software. No longer can we expect to detect driver-level malicious code because it’s poorly written; these guys aren’t blue-screening systems these days. Even worse, they know your systems better than you do!
Security and infrastructure are converging. “Who will inspect the supervisor”? The answer is in the infrastructure. In creating this ecosystem, Citrix is taking a bold step forward for security in virtualized environments. This is a move away from inspecting operating systems and applications. The ecosystem, and the vendors that are capable of embracing it, represents a new paradigm in security. It is possible that the old ‘inspect root from root’ dilemma is disappearing (or “has disappeared”).
The delivery method will be key. Customers, from SMBs to the largest enterprises, do not want to pick-and-choose security to match infrastructure, operating systems, and applications all of the way up the stack. This pick-and-choose method is time-consuming and fraught with patchwork solutions. It is also a money-pit because it is effort-intensive with difficult to quantify results; it creates integration efforts which add to the cost of security. Simply put, customers want security that is built-in, from top to bottom in the stack. Virtualization, by the very definition of the hypervisor, provides a secure space from which security can be applied. It is therefore up to virtualization vendors to provide this security role.
Bolt-on security will always have limitations. Baked-in security has real implications for the vendors that are capable of working with infrastructure vendors. Creating a tangible, security-aware infrastructure is a job that both infrastructure and security vendors share. The security of a software-defined datacenter belongs to the ecosystem. Finally, we may be able to agree that the idea of “security by design” is feasible.
Citrix XenClient® XT implements “security by design” through a flexible architecture that is designed to provide extreme security and isolation for the public sector and other highly regulated environments. It uses a hardenedType-1 Xen® Project client hypervisor that runs on bare metal to maximize security without compromising performance. Hardware-assisted security features such as trusted boot and disk encryption from the Intel® vPro™ platform ensure only authorized users have access to sensitive data. Most importantly, an open architecture allows partners and other third-parties to extend the XenClient XT platform to provide additional value-added capabilities. When taken together, these capabilities transform Citrix XenClient® XT into a flexible, future-proof security platform that delivers built-in security for a leap forward in security.
The Citrix Client Virtualization Group has been actively engaged in various activities to form a new virtualization security ecosystem based off of the XenClient XT platform. We have been working closely with various security vendors by sharing our virtualization and security experiences with them.
One example of this is the VCD-IA extension pack from Adventium Labs, which was built on top of the Citrix XenClient XT platform for additional defensive capabilities. Another example implementation is from Bitdefender which showed a demonstration of memory retrospection Service VM implementation built on top of the Xen® Project hypervisor to protect guest virtual memory against malicious memory infection operations at Citrix Synergy Los Angeles 2013. “Citrix is establishing a very attractive ecosystem based on XenClient XT enabling security vendors to go beyond traditional endpoint paradigm.”, says Robert Krauss, Director of Strategic Alliances, at Bitdefender.
This new virtualization security ecosystem being built on top of Citrix XenClient XT platform through security vendors and other third-parties augments the strongest security capabilities offered by Citrix XenClient XT to protect highly regulated environments. Download and evaluate XenClient XT in your own environment for free and read more about the latest release of XenClient XT!
Join the conversation by connecting with the Citrix XenClient team online!
View the XenClient XT product page
- Try XenClient XT with a free 90-day trial
- Follow us on Twitter
- Like us on Facebook
- Visit our XenClient XT Technical Forum
About the Author:
Ahmed Sallam is a Citrix cross-functional VP and CTO leading technology and solutions strategy in new emerging era of smart devices, IoT, IoE, system virtualization, server physicalization and security. His focus is on new emerging end-to-end solutions ranging from devices to networks to clouds across Citrix lines of products. Ahmed drives Intellectual Property growth opportunities and monetization strategy fro Citrix as well. He works closely with software and hardware ecosystem partners integrating into Citrix open platforms. He served as CTO and VP of Product Strategy for Client Virtualization. Ahmed is a renowned expert across the industry well known for pioneering new models in computer system virtualization-based security and management delivering flexible, well-managed and secure computer experience with high safety assurances. Ahmed holds 25 issued patents and has more than 40 published and pending patent applications.
Follow Ahmed on Twitter: https://twitter.com/ahmedsallam
Check out Ahmed’s LinkedIn profile: www.linkedin.com/in/ahmedsallam