How can you secure a buzzword?

Chris Hoff says before virtualization and cloud computing can be secure, we have to understand what they mean.

Chris Hoff, chief security architect for the systems and technology division at Unisys Corp. and an adviser on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important, but rather because it is vital and needs to mature rapidly.

Here, Hoff explains how a lack of real understanding of virtualization makes it very difficult to secure the technology.

Where do you see the biggest virtualization security holes in 2009? Unfortunately, it remains a cloudy issue. When you look at how people think of virtualization and what it means, the definition of virtualization is either very narrow -- that it's about server consolidation, virtualizing your applications and operating systems and consolidating everything down to fewer physical boxes. Or it's about any number of other elements -- client-side desktops, storage, networks, security. Depending on who you are and where you are, the definition of what's coming in the virtualization world means a lot of different things to a lot of different people. Then you add to the confusion with the concept of cloud computing, which is being pushed by Microsoft and a number of smaller, emerging companies. You're left scratching your head wondering what this means to you as a company. How does it impact your infrastructure? It's very confusing.

And this confusion feeds into the larger security dangers? Sure. You really have to frame the virtualization discussion around three elements: The first is to talk about securing virtualization. Once you have multiple virtualization platforms, you have to look at what it does to your architecture, your people processes and how to make sure it's all secure. Next, the discussion has to be about virtualizing security. The first was securing virtualization, the second is virtualizing security -- understanding the impact on people, process and architecture. How do I take what I already have today and use what works and what makes sense, and then understand what the security landscape looks like among the vendors I have and those I'm looking at. The third thing is ultimately security through virtualization, using virtualization to actually achieve better security. If you break the discussion into those three parts, you're better off. All the discussions need to be conducted through the concept of what the business is and where the highest risks are found. Unless you understand all these things, it's just a giant hamster wheel of pain.

How are the IT vendors doing at offering guidance on this issue? They're doing a very poor job. The first opportunity from a marketing and sales perspective is that it's about creating buzzwords and selling new technology. Until the security technology is more integrated as opposed to bolt-on, the vendors are just doing the best they can with what they have, to suggest they are relevant. From a leadership perspective, you see virtualization vendors at one end of the extreme or the other, you should trust this platform, it's the most secure, etc. In a way they have to be simplistic because it's complex and it's difficult to put holistic guidelines around it. The solution involves far more than bolt-on technology.

In your blog, you recently told people to shut up about securing the cloud because there's no such thing as cloud security. Can you repeat the gist of it here? This love affair with abusing the amorphous thing called THE Cloud is rapidly approaching meteoric levels of asininity. There is no singularity that can be described as THE Cloud. There are many clouds, they're not federated, they don't natively interoperate at the application layer, and they're all mostly proprietary in their platform and operation. They're also not all "public" and most don't exchange data in any form. The notion that we're all running out to put our content and apps in some common repository on someone else's infrastructure (or will) is [bull]. Can we stop selling this lemon already? The current fad of butchering the term Cloud Computing to bring sexy back to the *aaS (anything as a service) model is embarrassing. Infrastructure Gorillas are clouding the issue by suggesting their technology represents THE virtual data center OS. Microsoft, Citrix, VMware, Cisco. They all say the same thing using different words. Each of them claim ownership as the platform/OS upon which THE cloud will operate. Not one of them has a consistent model of securing their own vDCOS, so don't start on how we're going to secure IT. Cloud computing is real. THE Cloud? Not so much.

Do you see any prospects for improvement in the coming year, one or more potential developments that can put us on the right path with virtualization security? Oh, sure. In the security space, the who's who of security are retooling their applications to take advantage of VMware's vNetwork/VMsafe APIs. You name it -- Check Point, Symantec, McAfee, Trend Micro -- they're all working on tighter, better integration. Operationally and technically, there is a lot more integration and tightening going on. One recent example of that integration was VMware acquiring Blue Lane Technologies, the maker of solutions that protect both physical and logical infrastructure, including ServerShield and VirtualShield. The company has of late focused wisely on the latter, which provides application-aware firewalling, inter-VM flow visibility and analytics, application policy control, and intrusion-prevention capabilities. Coupled with the introspection capabilities provided by VMware's vNetwork/VMsafe API's natively, the integration of Blue Lane's solution sets will add to the basal capabilities of the platform itself and will allow customers the flexibility to construct more secure virtualized operating environments. I think it's actually an excellent move as it continues on the path of not only helping to ensure that the underlying virtualization platform is more secure, but the elements that ride atop on it are equally security enabled also.

This story, "How can you secure a buzzword?" was originally published by CSO.

Copyright © 2008 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon