Citrix’s Crosby & The Mother Of All Cop-Outs
In an article over at SearchSecurity.com, Simon Crosby, the CTO of Citrix, suggests that "Virtualization vendors [are] not in the security business."
Besides summarizing what is plainly an obvious statement of fact regarding the general omission of integrated security (outside of securing the hypervisor) from most virtualization platforms, Crosby’s statement simply underscores the woeful state we’re in:
While virtualization vendors will do their role in protecting the hypervisor, they are not in the business of catching bad guys or discovering vulnerabilities, said Simon Crosby, chief technology officer of Citrix Systems.
Independent security vendors will play a critical role in protecting virtual environments, he said. "The industry has already decided a long time ago that third party vendors are required to secure any platform," Crosby said. In this interview, Crosby agrees that using virtual technology introduces new complexities and security issues.
He said the uncertainties will be addressed once the industry matures.
I’m sure it’s reasonable to suggest that nobody expects virtualization platform providers to "…catch
bad guys," but I do expect that they employ a significant amount of
resources and follow an SDLC to discover vulnerabilities — at least in
their software.
Further, I don’t expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical.
I love the last line. What a crock of shit. We’ve seen how well
this approach had worked with operating system vendors in the past, so why
shouldn’t the "next generation" of OS vendors — virtualization
platform providers — follow suit and not provide for a secure operating environment?
Let’s see, Microsoft is investing hugely in security. Cisco is too. Why would the other tip of the trident want to? VMware’s at least taking steps to deliver a secure hypervisor as well as API’s to help secure the VM’s that run atop of it. Where’s Citrix in this…I mean besides late and complaining they weren’t first?
So, in trade for the "open framework for security ecosystem partnership" cop-out, we get to wait for the self-perpetuating security industry hamster wheel of pain to come back full circle.
The fact that the "industry" has "decided" that "third party vendors are required to secure any platform" simply points to the ignorance, arrogance and manifest destiny we endure at the hands of those who are responsible for the computing infrastructure we’re all held hostage with.
Just so I understand the premise, the security industry (or is it the virtualization industry?) has decided that the security industry instead of the OS/infrastructure (virtualization) vendors are the one’s responsible to secure the infrastructure — and thus our businesses!? What a shocker. Way to push for change, Simon.
I can’t even describe how utterly pissed off these statements make me.
/Hoff
Unbelievable.
Another quote:
"I don't think that we are competent to be a security vendor".
I understand that security may not be their core competency, but that is no excuse for not hiring a handful of smart people and making it dammed close to their core.
How about:
"The industry has already decided a long time ago that third party vendors are required to secure any platform…."
…..that is designed and build by incompetent vendors.
Okay, if this company cannot figure out that it is more expensive to take ANYTHING into consideration after development, what does it say about their development practices? Do companies really want to implement a product that uses this approach to their problems. As already stated, they are not in the security business. But they can, and should take it into consideration as they move forward. After all, if the companies who purchase their products go out of business due to breaches, failure to meet service requirements, or any number of other attack vectors and business considerations, who will be helping Citrix meet their maintenance funding objectives?
Time to dump the Citrix stock, if you have any.
Go forth and do good things,
Don C. Weber
Render unto Ceasar things which are Ceasar's …
. . . and unto security vendors things that deal with security. So it seems to be what Citrix CTO, Simon Crosby is saying in this audio interview on Search Security with Rob Westervelt. I was all set to write
Me thinks the business case for security is tied to anticipated revenues from production data centers. Security is a paradox for software vendors and typically an upsell opportunity versus an add-on. So enhanced security would help a virtualization vendor accelerate growth in production versus produce a revenue stream. I think Simon either tipped his hand (devtest vs production) or figured thet CTXS would have plenty of time to replicate VMsafe. Neither assumption IMHO is that attractive from a mkt cap standpoint.
What I said is that we are not a security vendor. That is true. We do not spend our days and nights looking for attackers, or trying to find viruses. That is not our business, and never will be. And there is a strong and vibrant ecosystem of security vendors whose job it is to do that. They are all moving to do this for virtualized guests, as plug in vendors to the hypervisor. that is the right architecture.
In terms of the hypervisor, we are manically focussed on security, as is VMware. Xen supports TPM, and trusted platform boot using platform based attestation is on the roadmap. Xen does not contain drivers, and implements a multi level secure architecture. Xen is massively and continually tested by the community and Citrix in its own product XenServer, specifically to ensure that it is secure and not vulnerable to attack. But we are not in the business of securing guests, and *that is the right approach*.
Even VMware with VMsafe simply exposes APIs to third party security vendors, so that customers can choose their preferred security partner to secure guests. Any assertion that the virtualization platform vendor can also be a security vendor for the guests is quite ludicrous, and I suspect that even Hoff would understand that. But if not, then I rest my case.
Simon
Simon:
Prior to responding, I'd really like to confirm that you *actually* wrote this, so until I can, I'll keep it short.
>> But we are not in the business of securing guests, and *that is the right approach*.
I'm not arguing about securing the guest operating systems. I *am* talking about securing the instantiation of those guests as "hosted" by your virtualization platform. The myopic focus on the hypervisor versus the entire solution is folly.
Perhaps this is semantics, but assuming it's not…
Abstracting the notion of securing the guest OS from securing the VM as a (excuse the wording) "container" is what I am referring to.
Securing the hypervisor whilst closing your eyes to the likelihood that the majority of attacks against it will come from the "guests" is silly.
Hoping (as a strategy) that the underlying platform does not allow for the propagation of attacks against other "guests" or the hypervisor should be your concern and this means that there's got to be a level of functional security competency to do so.
The thinner the hypervisor becomes, the more the security problem mimics the "squeezing the balloon problem," it doesn't change size, only shape.
Pushing the responsibility to to third party security ISV's in order to secure the VM's (again, the "container" and not the OS of the guest) and preventing them from compromising one another or the hypervisor is difficult for me to comprehend.
I just have a hard time believing that as your product and others become the next "data center OS" that you don't recognize the parallels and tribulations of Microsoft's approach.
Microsoft is fundamentally concerned now with making the OS as resilient and secure as possible whilst preventing the applications and interaction with elements riding on top of the OS from doing bad things to the system as a whole; this isn't just to protect the OS, but the assets on it.
Protecting the hypervisor is needed and a great idea. Pretending that you're the center of the universe and someone else will clean up the mess doesn't compute given the lousy track record we have for evidence thus far using this model.
/Hoff