Attack Of the Virtualization Hacking Hyperbole…Whiskey Tango Foxtrot, Over.
I'm literally emulating a bobble head doll at this point. In a fit of snarky confusion, I'm simultaneously trying to nod-shake-shrug my oversize gourd to arrive at some commonsensical conclusion about this piece. I can't, so my head just flops about like the headpiece on a 4-axis CNC machine.
Tarry Singh from the Avastu Blog spends his time as an independent analyst covering virtualization and cloud computing. His latest post regarding security left me scratching my head.
I had a bunch of folks ping me asking me for my interpretation of Tarry's latest work but I thought I'd turn it over to you lot since the more eyeballs the merrier.
Tarry's post is titled "Good News! Hackers Focus On Virtualization."
I read it. I read it again. I had something to drink. I read half of it.
I think what Tarry's trying to say is that with more attention being paid to virtualization platforms by "hackers" that we ought to see increased pressure for more secure environments due to impending carnage from mounting exploits and regulators amassing mad virtualization audit skillz. I could be wrong as it was really, really good wine.
Despite abusing the term "hackers," it's not an unreasonable assertion despite being dusty. The rest of the post (or the wine) still leaves me a bit dizzy.
Pay attention now, I'll highlight the interesting bits in bold…
understanding that it's not the OS where all the energy will be spilled
but on the Virtual Data Center OS, as VMware puts it.
- This is a validation of the fact that Virtualization is going mainstream
- Security and Compliance will be core focus of all organizations
- Virtual Infrastructures are easier to battendown and secure due to its uniformity
- Regulators
will increasingly ask for audits, where as in traditional environments
(I've seen such audits by the like of KPMG etc) and always wondered
like "wow–so are so prepared, dude, NOT!", Virtual environments
suddenly enables auditors to ask the right questions and get or not get the expected results. - Focus on security would mean that we will have to work harder to provide a secure and compliant platforms.
I welcome this shift. Virtualization platform are secure and have been
secured, the ones that aren't, should start doing it right away. I'll
be personally speaking in an event in November on security and why a
"secure and complaint practice will enhance your competitive edge", its
not just about securing, your customers want to know if they are secure
with you. Feel free to mail me if you need more information.
I'd be very interested to understand what a "secure and compliant practice" within the scope of a virtualized environment means, especially in light of some of the statements above.
Tarry, you've got mail.
/Hoff
"Virtual Infrastructures are easier to battendown and secure due to its uniformity"
I fail to see how vm's are any more or less uniform or hardened than hardware servers. 'Golden Images' and 'OS Clones' have been around a half decade longer than VM's. If you aren't cloning your real servers from hardened master images, why would I think that you are smart enough to figure out how to clone your VM's?
"Virtual environments suddenly enables auditors to ask the right questions and get or not get the expected results."
Auditor are either smart enough to ask the right questions or they are not. I see both types every few months. If they aren't, they won't figure out how to audit VM's. If they are, they will.
Maybe 'cause I'm on my second glass?
Ouch … stop it … don't cross post stuff like this … I hurt my neck.
Hey Chris,
You're drinking too much (but I knew that all along) but your assumption on what I was implying by (partly) sensationalizing the post (with some typos from my end- do remember in Europe we drink really very good wines as well) is pretty much correct.
My post says:
Virtualization is going mainstream and obviously security concerns are popping up in every discussion I hold.
And I haven't got your mail yet. You can call me as well and we can do a second call with other security vendors as well. Do you want me to set it up with Melissa?
I think this is the sort of stuff that sounds good to people who don't otherwise understand Virtualization and need an advisor. But to anyone in the know, well, they can see it for the mess of statements it is.
But hey, I'm feeling nice today since it is raining out and maybe I'll just chalk this up to a professional blogger not communicating very well in English. 🙂