Mark Gaydos from Tripwire's blog wrote an interesting article titled "Ops or Security: Who’s Responsible for Securing Virtualization?" The outcome is pretty much inline with my prior points that the biggest challenges we have in virtualization are operational and organizational rather than technical.
To wit, I quoteth from Mark's post:
Tripwire recently performed a 25 question survey on virtualization security. Respondents broke down 78%/22% between management and administrator/staff respectively. We will be publishing a report around this survey in the next two weeks.
However, one of the interesting points that came out of the survey was that respondents feel that the operations team is responsible for securing a virtualized environment (almost two thirds of the respondents felt this way). This includes over half of the actual “security” personnel who took the survey who feel operations has this responsibility.
That’s right! Over half of the people covering security who responded to the survey said operations needs to secure virtual systems and not them.
My question is why? Does security not want to deal with virtualization? Do personnel feel that operations is closer to virtualization and they understand the issues? Does security just want to wash their hands of the issue? Or is management just leaning towards having operations handle everything around virtualization?
However, I wonder how much Mark read into the security personnel's answers inasmuch as he suggests that they do "...not want to deal with virtualization" versus perhaps the fact that they don't actually have the visibility or access to the tools to do so!*
Responsibility versus desire are two very different things!
Managing the "security" of virtualized environments today really centers around the deployments of virtual appliances and the configuration of the vSwitches. That means in a VMware environment, you have to have access and rights via Virtualcenter. The same is true in terms of Xen derivatives; if you don't have access to configure and provision the networking and VM's, you're done.
Security in virtualized environments today is literally often thought of as a checkbox or two in a GUI somewhere. (All things considered, it would be great to be able to realize that one day...)
Just like security folks have locked server and network admins out of *their* firewalls and IPS's, and as network folks have done the same in *their* routers and switches, virtual SysAdmins have done the same in *their* virtual server environments. If you don't have access to the VM command and control, you can't manage the security bits and pieces bolted onto it.
I don't think it's that the security folks *want* to surrender the responsibility, I think it's that they never had it in the first place the moment the V-word entered the picture.
It ain't rocket science. It ain't voodoo. It ain't a tectonic buck-passing conspiracy. It's access, separation of duties (by force,) visibility and capability, plain and simple.
/Hoff
*Update: Per Amrit's excellent comments, I look forward to Tripwire releasing the report to gain clarity on the question(s) asked as it begs the point as to whether the answers Mark refers to were in regards to the mechanical operationalization of security (the "doing" part) or the policy, strategy, audit and monitoring tasks. Are we talking about "security management" in general or "security operations?"
In either circumstance the "security" team is -- based upon my observation from feedback -- being left out of both.