Organizations of all sizes have identified the benefits of cloud-based computing, whether it’s implementing a private or hybrid cloud on their own or accessing a public cloud through a service provider. Virtualization, a key component for building secure cloud environments, offers many advantages, including higher machine efficiency due to increased utilization, energy savings, and the flexibility to build or destroy virtual machines (VMs) on demand to meet changing organizational needs.
Choosing open source virtualization over proprietary alternatives can significantly increase savings. However, an open source Linux Kernel-based virtual machine (KVM) offers several benefits to organizations beyond just cost savings. These benefits include security, reliability, availability, performance, and scalability. In this white paper, we’ll look at the relationship between open source virtualization and the cloud, and explore the security aspects of KVM hypervisor technology, especially in relation to how it leverages SELinux and related capabilities for secure public, private, and hybrid cloud performance.
Introduction to Virtual Machines and Hypervisors
Virtualization offers the ability to emulate hardware to run multiple operating systems (OS) on a single computer. It offers a level of efficiency and scalability that makes the complex processing of the cloud possible. One of the reasons why virtualization has proven to be so cost-effective is that it can be implemented on industry-standard x86 system hardware using on-demand, high-capacity networks.
In a virtualized environment, the hypervisor, or virtual machine monitor (VMM), is the software that virtualizes the hardware and provides isolation between the OS processes, or “guests.” Without the strict controls put in place by the hypervisor, guests could violate and bypass host security policy, intercept unauthorized client data, and initiate or become the target of security attacks.
In addition, virtual machines (VMs) require the same kinds of precautions as physical machines, such as applying patches, installing anti-viral protocols, performing security fixes, and providing firewall protection. Hypervisors are designed to manage contention between processes that compete for resources, and they provide the maximum performance possible for each guest VM.
In terms of hypervisor categories, “bare-metal” refers to a hypervisor running directly on the hardware, as opposed to a “hosted” hypervisor that runs within the OS. Further classification groups hypervisors according to types. For example, a Type 1 hypervisor translates physical resources to virtual only once and a Type 2 hypervisor makes that translation twice.
The capabilities and differences between hypervisor types are often debated. In general, a Type 1 hypervisor controls the hardware and, therefore, manages how resources are allocated to VMs. A Type 2 hypervisor runs on top of another OS (e.g., Windows) and depends on the resource scheduling of that OS. Thus the hypervisor’s control is somewhat limited by the OS.
Having efficient CPU control and resource allocation enables the kinds of processing levels that make cloud computing possible. Companies employ virtualization to achieve these higher levels of resource functioning and cloud providers use virtualization for the same reasons.
One example is web content management provider eZ Systems. The company employs Red Hat Enterprise Linux (RHEL) with KVM along with the open source elastic cloud, Ixonos, to deliver its management platform and Software-as-a-Service (Saas) features. eZ Systems found that with the open, hybrid approach of Red Hat and Ixonos, it could provide its customers with the full functionality found in on-premise solutions and the same level of security offered by proprietary alternatives.
Reproduced from Global Knowledge white paper: KVM Security in the Cloud: A Choice That Matters.