New IBM PHANTOM virtualization initiative reaches far and wide

One of the primary drawbacks to using virtualization for server consolidation is that it dramatically reduces the number of points of failure in the datacenter, so that security breach or a hardware failure on a single machine can expose multiple (virtual) servers to compromise or malfunction. The industry is acutely aware of this issue, as evidenced by the growing number products aim at improving fault tolerance for virtual servers.

IBM, the company that pioneered the concept of virtualization with its mainframe systems, is tackling the security issue with Project PHANTOM, an initiative that's so secret that IBM won't even say what the name means. Still, that hasn't stopped them from putting out a press release on it, touting it as a "research breakthrough."

Update

I had a quick call with IBM yesterday and got some detail on PHANTOM. The company was still not willing to talk in any detail about it, but I did learn some important information that answers the questions I raised in my original post, which I've included below in its own section.

For starters, PHANTOM is not one particular technology, but rather a widespread research initiative within IBM that will eventually result in a range of products, services, best practices whitepapers, etc.. The initiative was started two years ago as a collaboration among various hardware and software groups within IBM, and has since expanded to embrace some third parties whose identities IBM isn't revealing just yet. The internal groups involved in the initiative include IBM's X-Force Threat Analysis Service (a division of IBM's Internet Security Systems), IBM Watson research center, and the server platform groups behind the z- and p-series servers, among others.

IBM stressed to me that the initiative will produce results for a wide variety of hardware/software combinations, including x86 systems, Windows, Linux, POWER, and others. So the scope of PHANTOM, broadly defined, includes all virtualization platforms, products, and services.

Clearly, whatever else it is, PHANTOM is also extremely ambitious. It's also still mostly under wraps, so we'll have to wait for more announcements before giving further details.

More PHANTOM background (original post)

From what IBM has revealed, and again, details are scarce, PHANTOM is aimed at locking down the hypervisor so that it's more resistant to intrusion. As the company puts it, most enterprise security technologies are aimed at locking down traditional networks of single-OS machines. But PHANTOM starts with the assumption that the OS is virtualized and then goes from there.

One key component of this hypervisor-level technology is its ability to view and monitor the complete state of every guest OS. Instead of just looking for compromised binaries, like traditional antivirus software, it looks for compromised virtual machines. It also monitors network traffic into and out of the virtual machines, looking for suspicious patterns that might indicate that a virtual server is being controlled by an intruder.

Plenty of important questions remain unanswered on the project, like whether it's software-only or has a hardware component. It's also not clear if PHANTOM is strictly for IBM's mainframes, or if it will be used in commodity (i.e., x86) servers as well.

The notion of securing the hypervisor and using it to monitor guest machines for unauthorized activity isn't new, even within IBM. Both the Xbox 360 and the PlayStation 3 are virtualized for exactly this reason—Microsoft, Sony, and content companies use the consoles' secure hypervisor to enforce DRM and other restrictions.

Outside of the IBM ecosystem, Intel's vPro has been doing exactly this sort of hypervisor-based monitoring of virtual machines and network traffic since last year. Intel's Trusted Execution Technology (TXT, formerly LaGrande) provides hardware support for securing virtual machines and monitoring I/O traffic.

I actually have a call in to IBM PR so that I can try to sort out what PHANTOM does that vPro doesn't, so if I learn anything new I'll update this post to let you know.