A few months ago, Pete Lindstrom shot me over the draft of a Burton paper on virtualization security. We sputtered back and forth at one another, I called him names, and then we had beer later.
The title of the paper was the "Five Immutable Laws of Virtualization Security."
I must admit, I reacted to what he sent me in a combinational fit of puzzlement and apathy. I really couldn't put my finger on why. Was it the "not invented here syndrome?" I didn't think so. So what was it that made me react the way I did?
I think that over time I've come to the conclusion that to me, these aren't so much "immutable laws" but more so derivative abstractions of common sense that left me wondering what all the fuss was about.
Pete posted the five laws on his blog today. A more detailed set of explanations can be found on the Burton blog here.
I dare you to read through these without having to re-read each of them multiple times and then re-read them in cascading sequence since (hint) they are recursive:
Law 1: Attacks against the OS and applications of a physical system have the exact same damage potential against a duplicate virtual system.
Law 2: A VM has higher risk than its counterpart physical system that is running the exact same OS and applications and is configured identically.
Law 3: VMs can be more secure than related physical systems providing the same functional service to an organization when they separate functionality and content that are combined on a physical system.
Law 4: A set of VMs aggregated on the same physical system can only be made more secure than its physical, separate counterparts by modifying the configurations of the VMs to offset the increased risk introduced by the hypervisor.
Law 5: A system containing a “trusted” VM on an “untrusted” host has a higher risk level than a system containing a “trusted” host with an “untrusted” VM.
Ultimately, I'd suggest that for the most part, these "observations" are correct, if not oversimplified in a couple of spots. But again, I'm left with the overall reaction of "so what?"
Pete even mentions the various reactions he's been getting:
I have been getting interesting reactions to these. Some say they are wrong. Some say they are common sense. Some just don't like the word "immutable." I think they serve to clarify some of the confusion that comes up when discussing virtualization by applying fairly straightforward risk management principles.
I want to believe that somehow these "laws" will enable some sort sort of actionable epiphany that will magically allow me to make my virtualized systems more secure, but I'm left scratching my head regarding who the audience for this was?
I don't think it clarifies any "confusion" regarding risk and virtualization and I'm puzzled that Burton suggests that these "laws" will enlighten anyone and dispel any confusion relating to whether or not deploying virtualization is more or less risky than not deploying virtualization:
In reality, we can apply traditional security practices to virtualization to determine whether risk increases or decreases with new virtualization architectures. It shouldn’t be surprising that the increase or decrease in risk is predicated on the current architecture. Here are five laws to live by when evaluating your virtualization architectures.
...
When combining the standard risk principles with an understanding of the use cases of virtualization, a set of immutable laws can be derived to assist in securing virtual environments
So, I'm with the "common sense" crowd since most of these "laws" have been discussed -- and some practical advice to go along with them -- for quite some time before the "Burton Tablets" came down from the mountain.
So I don't disagree, but I'm reminded of a couple of good lines from a bad movie wherein the nasty knight says to the good knight "you've been weighed, measured and found wanting..."
So, there we are. My $0.02. I think I'll add a slide or two about this at the virtualization forum next month...
/Hoff