By: Mark Gaydos
Tripwire recently performed a 25 question survey on virtualization security. Respondents broke down 78%/22% between management and administrator/staff respectively. We will be publishing a report around this survey in the next two weeks. However, one of the interesting points that came out of the survey was that respondents feel that the operations team is responsible for securing a virtualized environment (almost two thirds of the respondents felt this way). This includes over half of the actual “security” personnel who took the survey who feel operations has this responsibility. That’s right! Over half of the people covering security who responded to the survey said operations needs to secure virtual systems and not them.
My question is why? Does security not want to deal with virtualization? Do personnel feel that operations is closer to virtualization and they understand the issues? Does security just want to wash their hands of the issue? Or is management just leaning towards having operations handle everything around virtualization?
If you have thoughts or are interested in seeing the final report, please drop me a comment.
Update: Chris Hoff replied to this posting stating that “However, I wonder how much Mark read into the security personnel’s answers inasmuch as he suggests that they do “…not want to deal with virtualization” versus perhaps the fact that they don’t actually have the visibility or access to the tools to do so!*”. I absolutely agree with Chris that they may lack the visibility and/or tools to manage a virtual environment and no doubt HIS is the pragmatic answer. Yet, it seems in some ways that security is “washing their hands” of the whole situation. If there is some type of security breach or negative event in a virtualized environment will security be able to say “not my table”? Will the CIO look at the security team and say “ok, ensure the security of the organization but those boxes over there, those virtual ones, leave them alone because they are full of mystery and magic”? As I said, I agree with Chris that the way it works today operations is probably calling the shots but I wonder if that will hold. Seems that ops has a whole set of skills and orientation that is very different than a security team. I guess time will tell.