What Is Virtualization Security?

Virtualization abstracts hardware, enabling multiple workloads to share a common set of resources. Virtualization security protects virtualized IT infrastructure through a mix of software- and hardware-enabled controls and policies.1 2

Why Deploy Virtualization Security

  • Hybrid and remote workforces create new security challenges for businesses.

  • Through virtualization, workloads from different organizations running on the same PC can be isolated from each other, reducing attack surfaces and minimizing privacy exposure, thereby enabling greater data security across shared environments.

  • Intel vPro® hardware security technologies augment software-based security solutions with depth-of-defense protections that help thwart attacks before they advance across virtualized environments.

author-image

By

What Is Virtualization?

Virtualization takes a single physical computer or server and partitions it into several virtual machines by separating computing environments from physical infrastructure. On shared virtualized hardware, multiple workloads can run in full isolation from each other in a performant manner.

Many businesses today leverage client virtualization for these and other advantages:

  • The ability to run different operating systems or modified versions of the same operating system. This enables, for example, a programmer to code in both Linux and Windows 10 on the same machine.
  • Isolating workloads on the same PC for better security, resilience, and system uptime.

Virtualization enables isolated workspaces to be launched on any compliant PC. Since workspaces are isolated, a workspace has less of an impact on the others. This also enables businesses to deliver a resilient service to employees and business partners alike.

Ultimately, virtualization helps secure digital assets, promote system uptime, and preserve business continuity.

Trends Driving Virtualization

One prominent trend driving the rise in virtualization is the increasing number of employees who are working remotely. Accordingly, company PCs are now routinely deployed in the home, and IT security teams are seeing an increase in personal business being conducted on company PCs. As employees visit websites, shop online, and interact on social media sites, they may inadvertently expose the company network to malicious code. This paradigm also puts a company’s internal systems at risk because home networks may lack adequate security protections.

Consider also the growing gig economy and that contract workers often serve multiple businesses from a single PC. If even one of a contractor’s clients has suffered a breach, all client environments connected to the shared PC may be immediately at risk.

In separating out different workspaces for users such as remote employees and independent contractors, business PC virtualization delivers both the data security and privacy protections organizations require. Leveraging hardware telemetry and platform attestation allows IT personnel and antivirus solutions to quickly identify and address performance bottlenecks and breaches without significant impacts to compute performance or business continuity.

Why Cyberattacks Are Rising

Small and medium-sized businesses are increasingly being targeted by ransomware gangs. Attackers are now employing cryptojacking malware at alarming rates, a trend that is expected to continue. Attackers today continue to leverage AI to evolve their methods as well and are often able to evade antimalware defenses by cloaking in virtual machines or through binary obfuscating.

PC endpoints used by a remote workforce offer an easy way for malware to steal corporate secrets from PCs connected to insecure home and public networks. In addition, such PC endpoints offer a direct pathway for malware to infect cloud systems. Once an MSP or SaaS provider cloud has been breached, ransomware often moves laterally to compromise other connected machines.

While businesses today typically rely on software-based security to protect their digital assets, security software can be bypassed by an attacker who has obtained higher privileges through a vulnerability in either the software or hardware.

To address security threats on all fronts, businesses need to adopt a defense-in-depth security model built on advanced hardware virtualization security capabilities.

Protecting Virtualizations with Intel® Hardware-Based Security

Hardware-based security capabilities bring much-needed layers of protection to virtualized workloads. By design, embedded hardware security technology has a better view of the computing environment than software-based security solutions because it resides at the system level. Hardware-based security capabilities augment traditional software-based tools with a multidimensional approach that includes below-the-operating-system security features.

To provide defense-in-depth virtualization security, Intel offers a full portfolio of hardware-based security technologies:

Security with Intel vPro® and Intel® Hardware Shield

An integrated platform that delivers the latest PC technology in one validated solution, Intel vPro® Enterprise for Windows OS has built-in features that are designed to enable trusted client virtualization by more securely executing virtualized workloads helping to secure assets in memory.

Intel vPro®’s hardware-based security capabilities help enable profiling and detection of ransomware and other threats that can compromise data and degrade CPU performance.

Intel vPro® helps protect the entire fleet of devices in an organization, with a multilevel approach that includes protection from firmware-level attacks on the BIOS and endpoint management support so IT staff can monitor, restore, and patch devices remotely. Endpoint management, in particular, helps protect the fleet and reaches devices that are not physically accessible.

Embedded in all Windows PCs build on Intel vPro®, Intel® Hardware Shield enables workload isolation to help reduce the attack surface of computing environments and prevent malware from persisting and spreading across resources.

The security features of Intel® Hardware Shield allow businesses to benefit from deep platform visibility, hardware-based isolation to protect credentials, browser isolation, and hypervisor protection against malware executing code.

Intel® Threat Detection Technology

Intel® Threat Detection Technology (Intel® TDT), applies machine learning to CPU telemetry to help detect malware code execution fingerprints, irrespective of obfuscation techniques.

Intel® TDT works on virtualized Windows machines by first filtering out false positives and then signaling off the attack to Microsoft Defender for Endpoint, which can apply numerous remediation measures, including killing the malware process. The entire cycle happens in seconds, preventing impacts to the user’s machine and preserving the user’s computing experience.

Because Intel® TDT is an established model that is continuously updated, it works with CPUs from previous Intel® Core™ processor generations and will work with Intel-based PCs for years to come.

Intel’s Commitment to Product Assurance

Intel is highly committed to product and security assurance. As part of this commitment, Intel regularly releases functional and security updates for supported products and services through its Intel® Platform Update (Intel® IPU) program.

Through the IPU program, the Intel ecosystem of partners works to validate and integrate Intel® product updates into their own solutions and then releases the updates through direct channels. Ultimately, the IPU process facilitates coordination and vulnerability handling across the ecosystem, keeping Intel® platform users protected from advances in malicious code.

Securing Virtualization with Intel

While IT departments have struggled for decades to manage an ever-changing threat landscape, deploying client virtualizations can help by isolating workloads and reducing the attack surface accordingly.

Intel® hardware-enabled security provides defense in depth by enabling the expansive platform visibility and advanced threat detection required to protect today’s remote workforces deployed at vulnerable endpoints. Ultimately, Intel vPro® Enterprise for Windows OS allows virtualized environments to deliver on their promise, enabling the speed, performance, and agility users have come to expect while also providing the foundational virtualization security needed to thwart today’s increasingly sophisticated attacks.

Product and Performance Information

1

All versions of the Intel vPro® platform require an eligible Intel® Core™ processor, a supported operating system, Intel LAN and/or WLAN silicon, firmware enhancements, and other hardware and software necessary to deliver the manageability use cases, security features, system performance and stability that define the platform. See intel.com/performance-vpro for details.

2

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex. No product or component can be absolutely secure. Your costs and results may vary. Intel technologies may require enabled hardware, software or service activation. Intel does not control or audit third-party data. You should consult other sources to evaluate accuracy. © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.