About a month ago, Mark Gaydos and Chris Hoff(Security Pros Say VirtSec Is An Operations Problem?) discussed who owned security for the virtualization space. Mark thought that it was interesting that security did not want to own the virtualization space and Hoff added a wrinkle, saying security was never involved in the first place so they had no choice.
I agree with Hoff but I want to add another reason behind the exclusion of security when it comes to securing the virtualized environment–the CFO. VMware does such a great job of selling the ROI of their solution that the CFO sees dancing $$ signs floating in his head. All he can think of is, how fast can I get this stuff out in the datacenter and start to see the great ROI that I was promised? He doesn’t want anything to slow this project down including security.
Now, I’m not saying the CFO says to exclude security, but I want to highlight in many cases aggressive time frames are given to roll out the virtualized environment due to the savings a company can realize with this infrastructure. These tight time frames make it hard to bake security in from the beginning so as Hoff points out they are now locked out by the VM admins.