"Every data center cybersecurity team faces the same impossible equation: host-based agents consume CPU cycles that high-performance computing requires. For years, the industry has tried to balance this trade-off. The more security you implement, the more performance suffers; yet, the more you preserve performance, the greater the risk of blind spots."
"For an example of such a blind spot, look no further than the gap between a virtual machine (VM) and its physical host. In March 2025, Broadcom patched a series of VMware ESXi zero-day vulnerabilities that could escape the VM sandbox entirely. In 2023, the ESXiArgs campaign affected an estimated 3,800 servers globally. In both instances, a single compromise disabled or encrypted dozens of VMs simultaneously. Host-based agents were ineffective because the attack occurred in the hypervisor."
"The solution is not optimization; it requires reimagining the architecture by removing it from the host entirely. Data processing units (DPUs), installed on each server, provide this capability. Executing security workloads on the DPU instead of the CPU frees the host CPU and GPU cycles for the operations they were built to perform. Even better, the DPU is invisible and inaccessible to attackers because it operates independently from the host OS."
"The end result is tamper-proof security, enforced at line speed - without any negative performance impact. Legacy Risks at a Modern Pace Data centers have always been among the most challenging environments to secure. Physical servers host hypervisors. Hypervisors host VMs. VMs host containers. Each layer adds abstraction, and each abstraction introduces blind spots where assets go unmanaged and vulnerabilities remain undetected."
Host-based security agents consume CPU cycles needed for high-performance computing, creating a trade-off between security coverage and performance. Hypervisor-level attacks create blind spots because compromises can escape VM sandboxes and disable or encrypt many VMs at once. VMware ESXi zero-days and the ESXiArgs campaign show that host-based agents fail when the attack targets the hypervisor rather than the guest environment. Reimagining security architecture by removing it from the host enables DPUs to execute security workloads independently. DPUs free host CPU and GPU resources, operate invisibly relative to the host OS, and reduce attacker access. This approach supports tamper-proof security enforced at line speed without performance loss. Layered abstractions and accumulating misconfigurations further increase unmanaged assets and undetected vulnerabilities over time.
#data-center-security #hypervisor-vulnerabilities #dpus #performance-optimization #zero-day-exploits
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]