I was just reading George Hulme’s article, “Securing Virtualization, Or Is That Virtualizing Security?” which discusses his reaction to the sessions he saw at BlackHat about virtualization security. In particular, he focuses on his reactions to Chris Hoff’s “The Four Horsemen of the Virtualization Security Apocalypse” session.
“What I did walk away from the presentation understanding is that it’s dangerous to rush your virtualization efforts from the lab and testing environments to core production systems. And that highly agile and dynamic environments are possible today, and will be even easier to attain (as toolsets mature) in the near future.”
I think this sums up the tug of war I see in a lot of organizations about virtualization – they want to move ahead quickly to get the huge value that virtualization promises (and can deliver) but they end up taking shortcuts along the way.
These shortcuts inevitably lead to the deployment of insecure virtual infrastructure, or enterprises who deploy infrastructure ahead of their ability to manage it. This is not a new phenomenon, but that doesn’t mean you shouldn’t try to learn from it. How? Shift your perspective.
One of the things Hulme mentions is the promise of “agile and dynamic environments.” I have heard that as a desired outcome from many IT organizations, but I challenge that as a compellng value proposition.
Sure, customers want “agile and dynamic” but they also want “safe and reliable.” But remember – the highest value is when these things are achieved together, and they don’t happen together without planning, coordination, and controls.
The bottom line? Stop focusing so much on the inherent risk of virtualization (or any technology, for that matter) and start focusing on what you can do to mitigate, manage, and monitor the risk.