Chris Hoff Gets It
Hoff gets it. It was refreshing to come back from VMworld and read his entry about virtualization security and the need for operations and security teams to work together. At Always On I discuss this in more detail in the follow-up post to Sparky, but I think Hoff does a great job of getting to the essence of the challenge with the following:
What I suggested was that since now we see the collapse and convergence of the network and the compute stacks into the virtualization platforms, the operational impact of what that means to the SysAdmins and Network/Information Security folks is huge. The former now own the keys to the castle whilst the latter now “enjoy” the loss of visibility and operational control. Because the network and InfoSec folks aren’t competently trained in the operation of the VM platforms and the SysAdmins aren’t competently trained in securing (holistically — from the host through to the network) them, there’s a natural tendency for conflict.
So here’s what VMware needs to do immediately:1. Add a series of whitepapers and sessions that speak directly to assuage the fear of the virtualization unknowns targeting the network and InfoSec security staffers. 2. Provide more detail and solicit feedback relating to the technical roadmaps that will get the network and InfoSec staffer’s visibility and control back by including them in the process, not isolating them from it.3. Assign a VMware community ombudsman to provide outreach and make his/her responsibility to make folks in our industry aware — and not by soundbites that sponsors contention — that there are really some excellent security enhancements that virtualization (and specifically VMware) bring to the table. 4. Make more security acquisitions and form more partnerships. Determina was good, but as much as we need “prevention” we need “detection” — we’ve lost visibility, so don’t ignore the basics.5. Stop fighting “FUD” with “IAFNAB” (It’s a feature, not a bug) responses 6. Give the network and InfoSec folks solid information and guidance against which we can build budgets to secure the virtualization infrastructure before it’s deployed, not scrap for it after it’s already in production and hackbait.7. Address the possibility of virtualization security horizon events like Blue Pill and Skoudis’ VM Jail escapes head-on and work with us to mitigate them. 8. Don’t make the mistakes Cisco does and just show pretty security architecture and strategy slides featuring roadmaps that are 80% vapor and call it a success. 9. Leverage the talent pool in the security/network space to help build great and secure products; don’t think that the only folks you have to target are the cost-conscious CIO and the SysAdmins. 10. Rebuild and earn our trust that the virtualization gravy train isn’t an end run around the last 10 years we’ve spent trying to secure our data and assets. Get us involved.
I will tell you that both Kirk and Banjot recognize the need for these activities and are very passionate about solving them. I look forward to their efforts.
I apologize to Chris for reposting such a large chunk from his post… but it was beefy and editing only seemed to distort. You will want to read his entire post. If you don’t subscribe to his blog, you’ll want to. I suspect this won’t be the last you’ll hear from him on virtualization security.
Disclosure: I’m the VP Marketing at Blue Lane Technologies. Blue Lane is a VMware Technology Alliance Partner and a 2007 winner of Best in Interop and InfoWorld Tech of the Year (both in security). Blue Lane also won a 2007 Best of VMworld finalist award in data protection. In August Blue Lane also became the first network security appliance to be recognized by Microsoft for passing thousands of protocol tests without false positives.