IBM Conjures Phantom to Fight Hacker Menace

IBM (NYSE: IBM) unveiled a new research initiative intended to solve problems associated with virtualization and security Tuesday in San Francisco at RSA 2008. Code-named "Phantom," the project will be run jointly by IBM X-Force threat analysis team and IBM Research.

The project seeks to create virtualization security technology to efficiently monitor and disrupt malicious communications between virtual machines, the company said. With full visibility of virtual hardware resources, Phantom will also provide the ability to monitor the execution state of virtual machines.

In terms of security, a virtualized desktop is something of a black hole, said Richard Jacobs, CTO at Sophos.

"Those machines cannot be seen; that's why we recommend installing security software on each machine. But in a data center, that solution is not the most efficient. That is what IBM is doing -- trying to make securing servers more efficient," he told TechNewsWorld.

Virtually Insecure

As businesses increasingly turn to virtual computing environments, the need to secure and protect those machines from attack has grown. Security for virtual machines is somewhat different than that for a physical system. Although the need for new technologies is clear, the best way -- how and where -- to put that security into place in large part remains a challenge.

"Awareness of some of the security issues is becoming more prevalent among corporations as they adopt server virtualization technologies. Many of the traditional security tools cannot see inside the virtual environment in order to monitor the server's activities, and therefore they can't properly protect it," explained Jennifer Albornoz Mulligan, a Forrester Research analyst.

"This is especially crucial for organizations that have strict server auditing requirements because of regulations," she added.

One problem is that virtual machines often contain sensitive data and information.

"These machines are easily moved and duplicated, unlike their physical counterparts," she said. "Security managers need to be careful to put processes in place to monitor and manage serve creation, patching and destruction to ensure that their virtual servers and data are up to date on their protection and not leaking data."

Known Knowns and Known Unknowns

"[IBM] is addressing an important security issue. IBM has strong virtualization experience from their decades of experience in mainframes, and so I think they are well-suited to this market," Mulligan told TechNewsWorld.

At the initiative's core is network and host intrusion protection that will be used to safeguard the virtual environment and the machines from the inside out, IBM said. The resulting new technology will sit in a secure, isolated partition and will integrate with the hypervisor.

Phantom is intended to protect against both known and unknown threats before they occur and is designed to increase the security of the hypervisor -- a particularly vulnerable point. Once an attacker gains control of the hypervisor, he or she has control and access to every machine on the virtualized platform. With Phantom, the hypervisor will be locked down, according to IBM.

Neil MacDonald, a Gartner (NYSE: IT) analyst, refers to the technology in general as "virtual machine state inspection" (VM Inspection).

"[The technology] is potentially transformational. IBM is correct -- they're just not the only ones in the industry starting to understand this," he told TechNewsWorld.

It is an area gaining greater attention by companies such as VMware (NYSE: VMW), which announced its VMsafe product at the end of February.

"The market wasn't quite ready. People right now are trying to figure out how to deploy virtualization technology. It's the next chapter in the story, which is, now that we have securely deployed virtualization, how can we use virtualization to do new and interesting things for security?" he explained.

"That's what this announcement is about and what the VMware announcement was about," he added.