Martin Casado: How the Hypervisor Can Become a Horizontal Security Layer in the Data Center


“Security will never be the same again.  It’s a losing battle,” said Martin Casado, PhD during his Cloud Innovation Summit keynote on March 27th.   Currently, security spend is outpacing IT spend, and the only thing outpacing security spend is security losses.  Clearly this isn’t an issue of investment, innovation, or priorities as huge industries are built around security.  Mr. Casado believes there is a fundamental architectural issue: that we must trade off between context and isolation when implementing security controls.  With today’s huge data centers, there is a very large potential “attack surface” for malware and other cyber threats.

Astonishingly, Martin said that approximately “40% of actual SDN adopters paying money for SDN network virtualization are doing it as a security use case.”  The concept is to use network virtualization as a primitive, as building blocks to build micro-segments.  if you put something within one of those virtual networks, or within one of those segments, the only thing that it can see are also in that same segment. For example, for every application running on  a virtual network can have its own security services, ie. its own L4 through L7 services.  And if it gets compromised, the attack gets localized to just the layer effected.  As a result, this use case is driving a lot of the adoption of network virtualization, according to Mr. Casado.

Martin said, “This has become, I think, the driving use case (for the data center) going forward.  And as things like SDN and network virtualization cross the chasm (and become a significant revenue generating business), I think it’s security that’s going to do it.”

A Horizontal Security Layer:

Security in the data center involves a basic trade-off between context and isolation. If security control, such as a firewall a monitoring/tracking agent, is implemented within the application, it’s got great context.  It knows the users, the data, and the files.  But there’s no  isolation.  As a result, the user doesn’t trust the application or the endpoint.  “So putting a security control there is kind of like taking the on-off switch to an alarm system and putting it on the outside of a house. It doesn’t make any sense.”

“Maybe I’ll put the security control in the infrastructure. Let’s put ACLs or whatever on servers, switches and routers, which provides very good isolation between the two.  If I’m able to break into a server, I haven’t broken into the router, necessarily.  But while the attack surface is much smaller (with isolation between the separate boxes),  there isn’t any context.  The resident security control doesn’t know the users or applications. It doesn’t have access to local file systems.”

So there’s a fundamental trade-off between:

a] Great context (know everything  about the operational environment) without any real security/isolation, OR….

b] Terrible context (know nothing about the operational environment), but have great security through isolation.

Can the industry build a “Goldilocks zone” that goes ubiquitously throughout the (virtualized) data center, which provides both context and isolation?  The Goldilocks Zone would be a place where both visibility and security are possible — in a location that’s not too visible or not too inaccessible, but just right.  A horizontal security layer  that provides both context and isolation was proposed as that “Goldilocks layer” by Martin.   

Casado said that since the majority of workloads are virtualized, (horizontal) security control could be placed in the hypervisor (a separate trust domain).  That security entity could then peer into the application to pull out meaningful context (like users and applications and observe the state of the network).  It could also protect that visibility and provide protection and enforcement.  Therefore, the hypervisor seems to be an optimal place to implement security- where you have visibility, context and isolation.

“And so this is kind of a major area that I’m looking into, because again, given the state of the security industry and if things go the way we are, we’re going to be spending all our time and money on it, we do need something that will change the architecture (of the data center) and the way we view it. What we’re missing today is a horizontal layer that we can provide meaningful security.”

If this horizontal security layer is built out as a software platform (residing within a hypervisor), new security features can be included.  Martin cited two examples:

  • Next-generation firewalling with deep visibility in the end host.
  • Network access control that  understands objects and people or meaningful policies or vulnerability assessment.

–> Martin claims that data center security, whether it’s end host security, or network access control, vulnerability assessment, IDS, or IPS, etc. would all be enhanced by such a horizontal security layer.  All of them need better isolation and all of them need more context.

“So if we can build out this horizontal layer in this “Goldilocks zone,” I think we can actually move security in very much the same way that we have moved networking over the past seven years. I mean, I dedicated my life to SDN, and I think that we have the same type of opportunity here.”

Author’s Note:  When malware invades a (physical) server it immediately tries to block the operations of any anti-malware software. Since any process running on a virtualized server has no way to reach the hypervisor, a security layer that’s operating within the hypervisor can take action to mitigate the malware or security threat.  However, there is currently no security layer in VMware’s or anyone else’s hypervisor.

Martin’s Summary:

The IT industry needs to develop a horizontal layer for security controls and to use micro-segmentation to limit the attack surface within within the data centers.  That will protect the data center and the assets within it from malicious attacks.  

“This is a once in a wave opportunity, as we’re redefining these new architectures, to actually build security in as a primitive, as a fundamental primitive. So we have a root of trust. So you have a horizontal security layer that you can build rich systems on top of.”

Martin in Conversation with Michael Howard:

In the interview with Infonetics’ Michael Howard, Martin called attention to the problem of detecting the imminent arrival of a large flow of data (an elephant) that would trample smaller data flows (the mice).  “Nobody knows how to detect elephants, and we can’t do it from within the network,” he said.According to Casado, the hypervisor actually can see the future, in that it can detect the amount of data that is queued to be transmitted.  The hypervisor can therefore sniff out elephant flows.  You can go ahead and mark it, and then that will solve this long standing performance issue (between the elephant and the mice data flows) in networking.

In a subsequent email exchange, Martin wrote: “The hypervisor, with the aid of a guest presence, can look directly into the TCP send buffer to detect an “elephant” (large packet queued to be sent).  This is likely to be a far more accurate approach than anything stochastic, such as flow tracking in the network.”

Q & A with this Author:

Alan:  “Michael (Howard) asked you to explain the situation of SDN, NFV and telco service provider networks, and you mentioned what the problem is, but not the challenge telco’s face.  The problem being that web hosting (provided by telco’s)  is a low-margin business, the telco’s customers are building overlay networks to deliver cloud services and carriers want a part of that cloud business.What’s your opinion of whether or not they’ll succeed, and what really are the obstacles in building a carrier cloud?”

Martin Casado: “That’s a good question. NFV, I think at the most basic level, is just disaggregating the service from the box, and people have different ideas about what that service is. I see basically two camps. One camp is for big carrier, heavy gear that’s sold by the likes of Ericsson and Nokia Siemens, I want to decouple that software and that hardware.I think that’s going to be a very difficult journey.

I think the incentives aren’t aligned correctly. I’m not sure there’s a technical rationale for doing that. So when it comes to actually doing NFV for core carrier equipment, I don’t buy this is going to actually happen. I could be wrong, but just from an industry standpoint, I just don’t see the incentives aligned correctly.

Another way that you can view NFV is providing L4 through L7 services, things that are already virtualized and running in (Intel) x86 processors.  So I’m going to offer security services, I’m going to offer load-balancing services. For that, I think that, A, this is already happening. I think the telcos are in a great position because they own the infrastructure to provide this. You hear about virtualization of VPN using top solutions. I think all of that will happen.

I’m actually suggesting something even a little bit more radical. So, again, the NFV where you’re trying to disaggregate the big hardware boxes. I’m not sure there’s a technical justification. There’s a market justification. I don’t think there’s a technical justification. I think it’s going to be too difficult.

When it comes to kind of L4 through L7 services, these things are already on x86, virtualisation will happen. The carriers know how to provide these as a service. I think they’ll be successful with that. I’m suggesting something even more radical, which is why don’t you build an API and a platform that the guys that you typically have host have to use?

So instead of hosting BitTorrent or Netflix or whatever, have them program to your APIs. And so I’m not sure if anybody’s talking about that but me, but I do think that’s what NFV should become.”


Lack of effective security remains the number one obstacle to cloud adoption for enterprise customers. Malware is getting worse and the evil people who create it are getting better at finding ways to insert malware/ spyware into both servers, switch/routers and virtual machines.

A solution like Casado proposes (the horizontal layer within a hypervisor) seems quite workable, but it hasn’t been implemented yet by any vendor we know of.  Instead, there are a raft of add-on security appliances and agents that don’t provide a whollistic and effective security solution.  Let’s hope that security becomes a competitive issue in the world of virtualized systems, especially within cloud resident data centers.   


VMware: How the Hypervisor can be Security’s Savior’s-savior


The author sincerely thanks Martin Casado, PhD Stanford, for his diligent review of this article and his helpful comments and corrections that made it more accurate.


A Sept 27, 2014 Barron’s article hints that VMWare may sell Hypervisor security software to commodity servers and bare metal switches:
“In an age of break-ins at major retailers like Target and Home Depot, he notes, more and more network attacks can’t be stopped by conventional network firewall devices sold by Cisco and Check Point Software Technologies. To Martin Casado of VMWare, the virtual machine will assume a new role of protecting all the precious containers running on each server.

“So, call it a security visor, call it whatever you want,” he says. “The nature of a hypervisor changes to one of providing isolation for those applications,” he says. Casado’s ambition is even broader. Some of the traditional network switching business of Cisco can be disrupted, he says. VMware hypervisor software can be sold as a program to manage inexpensive switches from Dell and others that undercut Cisco’s premium. It is, to Casado, a grand transformation of the networking business, one that clearly excites him as he draws various diagrams on a white board of the shifting architecture of networks. “We haven’t even seen yet what will happen with this fundamental change” in IT, he says.

The business he oversees, called NSX, is running at over $100 million annually, still small, but Casado has 3,000 VMware salespeople to help sell it, and 50 million VMware-enabled virtual machines running in data centers—”enormous” resources,” he says.”

If he can transition VMware to the next era of data centers and networking, Casado may both save the company from obsolescence and open up a new frontier on Cisco’s turf.