Virtualization? So last Tuesday.

This post contains nothing particularly insightful other than a pronounced giant sucking sound that's left a vacuum in terms of forward motion regarding security and virtualization.

Why?

Three things:

1. There's an awful lot of focus moving from the (cough) mature space of server virtualization to the myriad of options and solutions on client virtualization as we're seeing the transition of where we focus our efforts swing again.  

   We're in the throes of yet another "great awakening" where we some of us realize that (gasp!) it's the information we ought to secure and that the platforms themselves are insecure and should be treated as such.  However, we've got so much security invested in the network and servers that we play ping-pong between securing them, bypassing the crown jewels.

   Virtualization has just reinforced that behavior and as we take stock of where we are in (not) securing these vectors looking for the next silver bullet, we knee jerk back to the the conduit through which the user interacts with our precious data: the client.

   The client, it seems, is the focus yet again, driven mostly by economics.  It's interesting to note that even though the theme of RSA this last go-round was "Information Centricity"  someone didn't get the memo. 

   Check out this graphic from my post a ways back titled "Security Will Not End Up In the Network..." for why this behavior is not only normal but will unfortunately lead us to always focus on the grass which turns out not to be greener on the other side.  I suppose I should really break out the "host" into server and client, accordingly:



Further, and rightfully so, the accelerated convergence of storage and networking thanks to virtualization is causing heads to a-splode in ways that cause security to be nothing more than a shrug and a prayer.  What it means to "secure the cloud" is akin to pissing in the wind at the moment.  Hey, if you've got to go, you've got to go...

2. ISV's are in what a amounts to a holding platform waiting for VDCOS, VI4, vSphere with vNetworking and the VMsafe API's to be released so they can unleash their next round of security software appliances to tackle the problems highlighted in my Four Horsemen of the Virtualization Security Apocalypse series.  For platforms other than VMware, we've seen bupkis as it relates to innovation of VirtSec.  
3. The "Cloud" has assimilated us all and combined with the stalling function above, has left us waffling in ambivalence.  The industry is so caught up in the momentum of this new promised revenue land that the blinding opportunity combined with a lack of standards and a slew of new business and technology models means that innovation is being driven primarily by startups while existing brands jockey to retool.

It's messy.  It's going to get messier, but the good news is that it's a really exciting time.  We're going to see old friends like IAM, IDP, VPNs, and good old fashioned routing and switching tart themselves up, hike up the hemlines and start trolling for dates again as virtualization 2.x, VirtSec and Cloud/Cloud Security make all the problems we haven't solved (but know we need to) relevant and pressing once again.

All those SysAdmin and NetAdmin skills you started with before you became a "security professional" will really help in sorting through all this mud.

There exist lots of opportunity to make both evolutionary and revolutionary advancements in solving many of the problems we've been suffering from for decades.  Let's work to press forward and not lose sight of where we're going and more importantly from whence we've come.

/Hoff