Virtualization? So last Tuesday.
This post contains nothing particularly insightful other than a pronounced giant sucking sound that's left a vacuum in terms of forward motion regarding security and virtualization.
- There's an awful lot of focus moving from the (cough) mature space of server virtualization to the myriad of options and solutions on client virtualization as we're seeing the transition of where we focus our efforts swing again.
We're in the throes of yet another "great awakening" where
wesome of us realize that (gasp!) it's the information we ought to secure and that the platforms themselves are insecure and should be treated as such. However, we've got so much security invested in the network and servers that we play ping-pong between securing them, bypassing the crown jewels.Virtualization has just reinforced that behavior and as we take stock of where we are in (not) securing these vectors looking for the next silver bullet, we knee jerk back to the the conduit through which the user interacts with our precious data: the client.
The client, it seems, is the focus yet again, driven mostly by economics. It's interesting to note that even though the theme of RSA this last go-round was "Information Centricity" someone didn't get the memo.
Check out this graphic from my post a ways back titled "Security Will Not End Up In the Network…" for why this behavior is not only normal but will unfortunately lead us to always focus on the grass which turns out not to be greener on the other side. I suppose I should really break out the "host" into server and client, accordingly:
- ISV's are in what a amounts to a holding platform waiting for
VDCOS, VI4,vSphere with vNetworking and the VMsafe API's to be released so they can unleash their next round of security software appliances to tackle the problems highlighted in my Four Horsemen of the Virtualization Security Apocalypse series. For platforms other than VMware, we've seen bupkis as it relates to innovation of VirtSec. - The "Cloud" has assimilated us all and combined with the stalling function above, has left us waffling in ambivalence. The industry is so caught up in the momentum of this new promised revenue land that the blinding opportunity combined with a lack of standards and a slew of new business and technology models means that innovation is being driven primarily by startups while existing brands jockey to retool.
Further, and rightfully so, the accelerated convergence of storage and networking thanks to virtualization is causing heads to a-splode in ways that cause security to be nothing more than a shrug and a prayer. What it means to "secure the cloud" is akin to pissing in the wind at the moment. Hey, if you've got to go, you've got to go…
It's messy. It's going to get messier, but the good news is that it's a really exciting time. We're going to see old friends like IAM, IDP, VPNs, and good old fashioned routing and switching tart themselves up, hike up the hemlines and start trolling for dates again as virtualization 2.x, VirtSec and Cloud/Cloud Security make all the problems we haven't solved (but know we need to) relevant and pressing once again.
This comment contains nothing insightful other than to express my love for your punctuated equilibrium graph, and to note that the Information Centricity phase is little more than a signpost in the Nevada desert we pass at 90 mph on our way to Barstow. Those few milliseconds we spend there are hardly worth mentioning. It's more like the bigger network and host kids playing 'keep-away' from their younger information centric cousin. And as big-vendors continue to wage war over where and what we virtualize, the general discussion of wrapping data in a protective container so it does not care about the network/host fashion of the day is outside the major firms general focus, business plan and best interest. Data remains insecure because data security is not really the problem most are trying to solve with virtualization security or security in general. ISC has little traction, and of the variants, only DLP has managed to gain a meaningful foothold. This spastic see-saw of network/host partial security will continue to suck and blow for the foreseeable future.
@adrianlane In the immortal words of Colonel Sandurz in Space Balls: "Oh, my God. It's Mega Maid. She's gone from suck to blow"
Re: Security will not end up in the network
The age-old problem still exists with implementing security in the hosts: quantity and variety. Let's face it, initial "firewalls" simply tried to isolate and control the exposure (c.f., Ranum). If all traffic has to transit through a single control point, we only have to secure the single point.
Obviously, as @tqbf pointed out in his recent twitter, the castle is in tcp/80 and tcp/443.
But, I don't think the answer is to to secure all the hosts. YMMV.