Back in April, when apparently virtualization and the securing the mechanics thereof appeared not be that interesting, Art Wittmann wrote a piece in Network Computing titled "
Strategy Session: Server Consolidation: Just Do It"
You may remember that I responded rather vehemently to this article because of a quote that unreasonably marginalized the security impact that virtualization and consolidation have in the data center as well as suggesting that the security "hype" surrounding virtualization was due to "nattering nabobs of negativity" (that would be you and me) who were just being our old obstructionist security selves. Art said:
"While the security threat inherent in virtualization is real, it's also overstated."
Overstated? Here are a couple of other choice quotes from his article:
"That leaves security as the final question. You can bet that everyone who can make a dime on questioning the security of virtualization will be doing so; the drumbeat has started and is increasing in volume.
...which apparently meant that Art was dancing to a different beat, and...
If you can eliminate 10 or 20 servers running outdated versions of NT in favor of a single consolidated pair of servers, the task of securing the environment should be simpler or at least no more complex. If you're considering a server consolidation project, do it. Be mindful of security, but don't be dissuaded by the nattering nabobs of negativity."
I'm not sure Art ever deployed an ESX cluster with virtualized storage and networking, because if he had, I don't think he would suggest that it's "...simpler or at least no more complex."
Furthermore, in terms of security issues of late, I guess that besides the BluePill debacle, evading VM Jails and API exploitation just aren't serious enough glimpses of what is coming down the pike to warrant concern?
Why am I dragging this back up to the surface? Because I am one of those "nattering nabobs" who has spent the last year plus drawing attention to the very issues Art previously suggested were overstated and yet now proudly flies as a badge of honor on the NWC Virtualization Immersion Center Blog with this posting titled (strangely enough) "Taking Virtualization Security Seriously":
Virtualization security has been on the minds of a lot of IT folks lately. There's no doubt that virtualization changes the security game - and because it involves new software - the potential for new exploits exists
While I'm happy to see that Art has softened his tune and admitted that virtualization security is important and is not "overstated" I find it ironic that he, himself, is now dancing to the same drumbeat to which all of those money-hungry vendor scum and nabobers were shuffling along to when we were just hyping this all up...
Now that I've gotten rid of that bitter little pill, I will say that I think that Joe Hernick's (seems to write for Information Week also) article titled "Virtualization Security Heats Up" did a good job of summarizing what I've been writing about for the last year specifically regarding virtualization security, and you should read it...but be warned, you might come away feeling a little less secure.
If you want to replay the most recent articles I wrote regarding virtualization and security, you can check out the listing here. I'm glad that Art and Crew are drawing attention to virtualization and the security ramifications thereof. That's a good thing.