Home > Virtualization > Virtualization Security Training?

Virtualization Security Training?

I just read an interesting article written by Patrick Thibodeau from Computerworld which described the difficulties IT managers are having finding staffers with virtualization experience and expertise:

As more organizations adopt server virtualization software, they’re
also looking to hire people who have worked with the technology in live
applications.

But such workers can be hard to find, as Joel Sweatte, IT
manager at East Carolina University’s College of Technology and
Computer Science, recently discovered when he placed a help-wanted ad
for an IT systems engineer with virtualization skills.

Sweatte received about 40 applications for the job at the
Greenville, N.C.-based university, but few of the applicants had any
virtualization experience, and he ended up hiring someone who had none.
“I’m fishing in an empty ocean,” Sweatte said.

To give his new hire a crash course in virtualization,
Sweatte brought him to market leader VMware Inc.’s annual user
conference in San Francisco last month. “That’s a major expenditure for
a university,” Sweatte said of the conference and travel costs. “[But]
I wanted him to take a drink from the fire hose.”

If the industry is having trouble finding IT generalists with training in virtualization security, I can only imagine the dearth of qualified security experts in the hopper.  I wonder when the first SANS course in virtualization security will surface?

I’m interested in understanding how folks are approaching security training for their server ops, audit, compliance and security teams.  If you wouldn’t mind, please participate in the poll below.  This is the first time I’ve used Visu Polls, and you’ll need to enable scripting/Flash to make this work:

Categories: Virtualization Tags:
  1. October 2nd, 2007 at 04:43 | #1

    A thought and a question-
    I assume those who follow this blog are much more likely than most to take VM security seriously, so these results probably differ significantly from a poll of the general IT population. That's kinda scary given the results thus far.
    And, is there really decent, formal VM security training available? Or is it just a subset of the vendor-specific training where we hound the instructors about security?

  2. October 2nd, 2007 at 09:38 | #2

    An appropriately good thought and question, Jack. In fact, those two data points are exactly why I wanted to put the poll up. It's hardly a large sampling, but the results are telling.
    Short of what was available at VMworld, I don't know of any formal virtualization security training. I'm hoping SANS will start addressing this shortly as part of one (or more) of their tracks.
    I'd count the VMworld training — light as it was — as a formal offering, but the reality is that the show's constituency was (by informal sampling) VERY light on security folks.
    So, we're forced to educate ourselves in an ad hoc manner.
    It is scary, but expected at this point, IMHO.
    /Hoff

  3. Kyle C. Quest
    October 2nd, 2007 at 13:56 | #3

    I'm personally hoping that SANS doesn't get sucked into the virtualization security hype. Besides there's not much common foundation for it to be studied as a discipline like firewall technology. It would be either general infrastructure security information that applies regardless of the use of VMs or it would mostly be vendor specific information and for that it's usually good to get the training from the vendors themselves (e.g., Cisco certs for Cisco products).

  4. October 2nd, 2007 at 17:49 | #4

    You know why I want SANS to pick it up? Even if it's one of those lunch 'n learns? So that it gets dedicated security eyeballs on the topic, gets to the right people, and is driven by money so that it'll get budget.
    That's why I think SANS is a good choice. If security folks were interested in learning about a vendor's specific security techniques — such as VMWare's — they'd go to VMworld, but the reason they don't is because security folks can't get budget to go to a "virtualization" conference, but they can go to a "security" conference that features virtualization material.
    /Hoff

  5. Kyle C. Quest
    October 2nd, 2007 at 18:33 | #5

    How about RSA conferences 🙂 Those would be a good place to speak about the virtualization security…

  6. October 2nd, 2007 at 20:39 | #6

    Except the training usually sucks 😉
    Besides, it's all about those token thingys…
    …and there won't be any standalone security companies in the next 3 years, remember…

  7. Kyle C Quest
    October 3rd, 2007 at 04:01 | #7

    I remember something about the discussion (about the security companies), so you might be just joking here 🙂 It's possible that some of the companies will simply get bought (just like it already happened) and others will be forced into an OEM business maybe. But there will always be new security companies… with new technology and new products… and it's going to take a long time before the big monsters like IBM, Microsoft, etc get into the game. This is very similar to the traditional (non-security) software business. We went through several stages of new technology emerging… driven by small companies… because it's fueled by innovation and great ideas for which the big companies sometimes don't have the best environment. The big companies eventually catch up, but it takes a long time and it doesn't mean the end of independent software companies. It's evolution…

  8. October 3rd, 2007 at 06:06 | #8

    FYI, it was Coviello's keynote…unfortunately I was only half joking…this is what he said: http://www.internetnews.com/security/article.php/
    /Hoff

  9. Kyle C. Quest
    October 3rd, 2007 at 15:20 | #9

    Now I remember 🙂 Well, I'm not surprised that he said that given that his company got bought by a bigger company. He makes the standard "unification" case that can actually apply to any industry… not only security, not only technology, but also also everything else starting with banks and ending with transportation, etc. And it's also a case for monopolies, in a way, and how much they can do because they are monopolies and because they have so much at their disposal. However, the history shows that monopolies and huge companies in generals are slow to move forward and adapt because of their size, bureaucracy, and bad environment for innovation. I'm willing to put up $1000 for a bet that in 3 years we'll still have enough standalone security companies.

  10. October 3rd, 2007 at 16:19 | #10

    I agree.
    It's all cyclic. There are over 800+ (probably more) in the security dating pool at this point. It isn't consolidating that fast. Some will definitely die off, some will be snapped up, but with all the stuff coming down the pike (like virtualization,) you'll see companies that *used* to be one thing become another.
    Job "Security" indeed 😉
    /Hoff

  1. No trackbacks yet.