By: Mark Gaydos
I’m a big believer that the bell-curve is everywhere and dominates most things… including virtualization security. I was reading Greg Ness’ blog post on the issues surrounding virtualization security and whether vendors and IT groups will be proactive in how they approach the topic. And of course the answer will be ‘yes’ and ‘no’.
After 10 years in IT and 15 years with software vendors I am positive that security around virtualization will unfold like every other initiative in the datacenter. You are going to have a bell-curve of organizations looking at how security is performed around their virtual environments. A few forward thinking strategic companies are already considering what the issues are around virtualization security and how these environments will be integrated with how they manage their physical environments. A larger set of organizations are just trying to get their arms around the risks posed by hypervisors and VM workloads. And inevitably there is a group, significant in size, that has no clue that virtual environments pose unique configuration issues and potential security risks.
So the better question to ask is not whether an organization is going to have a strategy for how they handle virtualization but where on the bell-curve of adoption they are with this strategy. And all they need to do is ask two simple questions to determine this.
The first question is “do they have someone who owns virtualization security?” If the answer is “no” or if multiple individuals are pointed at this most likely means that no strategy has been determined and this organization is in the laggard mode when it comes to a virtualization security strategy.
If they do have someone who is responsible than the second question is “what is the title of that person?” If that person is a manager or below then you can be fairly certain that although the IT organization has recognized there are issues surrounding virtualization security, they are not treating it in a strategic and integrated fashion. Only when you have cross-functional director or above IT representation can an organization be tackling the issue at a strategic level.