Here's a theme I've been banging around for quite some time as it relates to virtualization, cloud computing and security. I've never really sat down and written about it, however.
As we trend towards consolidating and (re)centralizing our computing platforms -- both endpoints and servers -- using virtualization and cloud computing as enablers to do so, we're also simultaneously dealing with the decentralization and distributed data sets that come with technologies such as Web2.0, mobility and exposure of APIs from cloud platforms.*
So here we are all frothed up as virtualization and cloud computing have, in a sense, led us back to the resource-based consolidation of the mainframe model with all it's centralized splendor and client virtualization/thin clients/compartmentalized remote access is doing the same thing for endpoints.
But the interesting thing is that with Moore's Law, the endpoints are also getting more and more powerful even though we're dumbing them down and trying to make their exposure more limited despite the fact that they can still efficiently process and store data locally.
These models, one could argue, are diametrically opposed when describing how to secure the platforms versus the information that resides on or is utilized by them. As the cyclic waffling between centralized versus distributed continues, the timing of how and where we adapt to securing them always lags behind. Which do we focus on securing and where? The host, centralized server, network.
The unfortunate answer is always "yes."
Remember this (simplified) model of how/where we secure things?
If you juxtapose the image above mentally with how I represent the centralized <--> distributed trends in IT below, it's no wonder we're always behind the curve. The computing model technology changes much more quickly than the security technology and processes do, thus the disconnect:
I need to update the diagram above to split out the "computing" layer
into client and server as well as extend the data layer to reference
storage modalities also, but it gets the job done.
At any rate, it's probably obvious and common sense, but when explaining to people why I spend my time pointing out gaps with security in virtualization and cloud models, I found this useful.
/Hoff
* It's important to note that while I refer to/group cloud computing models as centralized, I understand they have a distributed element to them, also. I would ask you to think about the multiple cloud overlays as centralized resources, regardless of how intrinsically "distributed" in processing/load balancing they may be.
P.S. I just saw an awesome post titled "The Rise of the Stupid Endpoint" on the vinternals blog that shares many of the same points, although much more eloquently. Check it out here. Awesome!