Posted by Paul Stamp on March 31, 2008
I've sat through a number of presentations and sessions about security and virtualization in recent times and can't help thinking that people are falling into the old trap of going after the possible rather than the probable.
Most discussions I've seen around security and virtualization center around subtle threats to the hypervisor layer, and whether its possible to jump from one virtual machine to another. Then there are the circular discussions about whether its provably more secure to perform AV and intrusion inspection from inside the virtual machine, or have the host perform all the functions.
All pretty tedious if you ask me. I reckon we've some much bigger problems in a virtual world.
Isn't it more of a problem that in a virtual world its harder to keep track of what business activities happen where? Isn't the patch and vulnerability management process exponentially more complex when you're instantiating and destroying virtual machines left right and center? How do you determine what risks you're introducing if you move a virtual machine from one place to another? How do we track all this and demonstrate it to our friendly auditors when they come a-knocking?
I reckon we need to elevate the level of conversation to talk about the real risk consequences of virtualization, and what it does to the security business model.
Don't get me wrong, we do need to consider these more subtle virtualization threats, but rather than talking about them in isolation, we can incorporate them into wider conversation. This can then include the slew of new deployment, implementationm and licensing options virtualization introduces for security services, and devise a more business oriented way to establish who does what, where, and when for optimal security and cost.