Time for VMware to drag the security industry kicking and screaming into virtualization

I wrote this on the way home from VMworld, and procrastinated the posting just enough to be able to use the ArcSight acquisition by HP as another example of security belonging in the infrastructure.

VMware is in the infrastructure business, which means it also has to be in the security business. VMware doesn't want to say that, but needs to learn from Cisco, Intel and Microsoft by baking security into the fabric of virtual data centers and virtual desktops. Security permeated the VMware strategy discussions at VMworld, including announcements for vShield Edge, vShield Application, and vShield Endpoint capabilities. Organizations prefer enterprise-wide security to be implemented by their infrastructure vendor to reduce administration costs, protect the usefulness of the investment and simplify support issues. It is time for VMware to step up and commit to being in the strategic security business if they want to be successful in promoting their vision of IT as a cloud-based service.

VMware, and other infrastructure vendors, can learn at least 3 good lessons from Cisco, Intel and Microsoft about making a critical commitment to security:

  • 1. The Microsoft lesson - bequeathing security to third parties runs the risk that security will be done poorly, adversely affecting customer adoption and corporate growth. VMware has the best security vision for virtual environments, and needs implementations against that vision to expand virtualization to private and public clouds. Traditional security is typically a network appliance or host-based software, but virtualization is completely different featuring dynamic VMs that come and go and move to remote data centers. The security industry does not know fully understand the technical problems, nor the business challenges. With a few exceptions, the security industry has been slow to embrace virtualization concepts, leaving VMware prospects out of compliance and at greater risk of security incidents. VMware knows what must be done and needs to assume the responsibility of securing VMware environments.
  • 2. The Intel lesson - waiting for security leaders to embrace interfaces and innovate with disruptive technology can be like waiting for Godot. It has been many years since Intel offered secure key storage in TPMs, offline administration of endpoints with AMT, and vPro hardware-assisted isolation of virtual environments, but the industry has been glacially slow adopting these new ideas. VMware's experience is a similarly lethargic industry response to VMsafe APIs, and it is far from clear that security vendors will give more than lip support to vShield enablers. VMware cannot afford to wait for a security eco-system to magically appear; VMware needs to initiate a virtual security market with VMware-branded security products.
  • 3. The Cisco lesson - security can drive revenues and contribute to larger enterprise-wide deals. It is not commonly known that Cisco and Microsoft revenues from security products are greater than those of Check Point, McAfee, or RSA. In fact, the leading infrastructure vendors including Cisco, EMC, IBM and Microsoft all have thriving security lines of business that complement the corporate mission. Many organizations prefer security from their infrastructure vendor to assure consistency in management tools and problem resolution. It is easy to envision a VMware security line of business, differentiated by a commitment to making virtual environments more secure than physical, contributing several hundreds of millions of dollars in annual revenue.

The status quo approach of building an eco-system sounds good, but as of Aug 31, 2010 there were only 6 VMsafe partners. VMware can offer strategically important security for virtualization environments while still embracing a vibrant partner program.  One approach to enhancing the vShield products would be to acquire a large AV company for a critical mass of security expertise, and then only invest in technology acquisitions that can be molded into a virtualization framework. Customers embracing virtualization need and deserve an accelerated path. VMware needs to show the way.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon