Thanks to Alan Shimel and his pre-Blackhat Security Bloggers Network commentary, a bunch of interesting folks are commenting on the topic of virtualization security (VirtSec) which is the focus of my preso at Blackhat this year.
Mike Rothman did his part this morning by writing up a thought-provoking piece opining on the lack of a near-term market for VirtSec solutions:
So I'm not going to talk about technical stuff. Yet, I do feel compelled to draw the conclusion that despite the dangers, it doesn't matter. All the folks that are trying to make VirtSec into a market are basically just pushing on a rope.
That's right. Now matter how hard you push (or how many blog postings you write), you are not going to make VirtSec into a market for at least 2 years. And that is being pretty optimistic. So for all those VCs that are thinking they've jumped onto the next big security opportunity, I hope your partnership will allow you to be patient.
Again, it's not because the risks of virtualization aren't real. If guys like Hoff and Thomas say they are, then I tend to believe them. But Mr. Market doesn't care what smart guys say. Mr. Market cares about budget cycles and priorities and political affiliations, and none of these lead me to believe that VirtSec revenues are going to accelerate anytime soon.
Firstly, almost all markets take a couple of years to fully develop and mature and VirtSec is no different. Nobody said that VirtSec will violate the laws of physics, but it's also a very hot topic and consumers/adopters are recognizing that security is a piece of the puzzle that is missing.
In many cases this is because virtualization platform providers have simply marketed virtualization as being "as secure" or "more secure" than than their physical counterparts. This, combined with the rapid adoption of virtualization, has caused a knee jerk reactive reaction.
By the way, this is completely par for the course in our industry. If you act surprised, you deserve an Emmy ;)
Secondly, and most importantly to me, Mike did me a bit of a disservice by intimating that my pushing the issues regarding VirtSec are focused solely on the technical. Sadly, that's so far off base from my "fair and balanced" perspective on the matter because along with the technical issues, I constantly drum home the following:
- The biggest challenge we have with virtualization in the short term (the next couple of years -- the same timeframe Mike suggests VirtSec will take to percolate) is operational and organizational, and not technical.
You can find recent postings on that topic in posts such as Security Pros Say VirtSec Is An Operations Problem? and The Challenge of Virtualization Security: Organizational and Operational, NOT Technical
- Along with the organizational and operational issues comes the need for visibility and visualization of what is going on within these virtual environments.
You can find my latest entry on this (posted early today, actually) in my entry titled Visualization Through Virtualization...
"Nobody Puts Baby In the Corner"
Painting only one of the legs of the stool as my sole argument isn't accurate and doesn't portray what I have been talking about for some time -- and agree with Mike about -- that these challenges are more than one-dimensional.
The reality is that Mike is right -- the budget, priority and politics will bracket VirtSec's adoption, but only if you think of VirtSec as a technical problem.
Is VirtSec a market? My opinion: it's an instantiation of technology, practice and operational adjustment brought forth as a derivative of a disruptive technology and prevailing market conditions.
Does that mean it's a feature as opposed to a market? No. In my opinion, it's an evolution of an existing market, rife with existing solutions and punctuated by emerging ones.
The next stop is how "security" will evolve from VirtSec to CloudSec...
/Hoff