I was reading an article today about VMware announcing a new virtual appliance called VMware vShield Zones. Per the announcement this will be made available via the virtual datacenter operating system and will allow an organization to apply security policies to user data. I was reading this article and really wondering do I want to put too much of my security strategy into the hands VMware when I came to an interesting part in the article:
“And even then, a vital question must be answered: Who is ultimately responsible for virtualization security? The answer to this question raises a management issue for the future in a way few other technologies have to date, since the distinctions between the tools and processes used by security professionals, versus those used by virtualization administrators, are not yet completely clear.”
This quote is from Scott Crawford who is a research director for EMA. I was actually surprised that a security expert is wondering WHO will actually be responsible for security in the virtual world To me, this is obvious–security should always own the security domain. In my experience, administrators are focused on what they do best–administrating their environments whether they be an operating system, a network device or a virtual environment. Security is the paranoid group in the corner looking for the unusual and preparing for “what if’s”.
I am not saying that administrators do not care about security because many of them take measures to put in some security into their respective environments however their primary responsibility is to manage the environment and make sure it is available for their customers (internal or external). Security is tasked to think about security all day, every day so by nature they are going to look longer and deeper into security risks than administrators.
I have read several articles in which the question of who owns virtual security is asked and to me it is ALWAYS security. With that said, I have seen the challenges of this first hand with my customers because the administrators do not always grant the access that is needed or required by security to properly do their job. That is a separate topic and does not invalidate the fact that security should own the security of the virtualized environment.
If I run a business and I take security seriously (I mean really take it seriously), then do I want someone who occasionally thinks about security or someone that always thinks about it? I may need to get my security professionals up to speed in terms of technology but I still want them to own the security for my organization. In this regard, the virtual is no different than the rest of my IT infrastructure.
I would welcome any and all feedback on this.