Skip to content ↓ | Skip to navigation ↓

Depending on the situation and who you listen to, you can get different answers to this question. This is not the same debate that Simon Crosby (Citrix CTO) and Chris Hoff have been having. This question is aimed at the customer – who cares about virtualization security today and who will care about virtualization security as virtualization adoption grows. Who uses these tools will have an impact on how they are designed, where they integrate and the level of detail.

The virtualization providers would claim that the Virtualization Infrastructure Admin is the owner of security in a virtual world. That might be true in some instances but why is that true? I can see this in a SMB company where the person who is managing the virtual infrastructure is the same person who is in charge of security for those assets. This is probably true today in an environment of a larger company where virtualization has not has not become prevalent in the datacenter. In these types of environments the VI admin may own the security because the virtual deployment in production has not reached a level that has gotten the security owner’s attention.

Or is there a paradigm shift as to how and who manages security? Obviously security is important in a virtual world and this environment creates new challenges, but who owns virtual security in your world and why? As virtualization starts to become more widely used in production, companies will see a shift in how the parts of virtualization are managed but the VI Admin still needs to ensure a secure environment because nothing will slow the adoption of virtualization in the production environment faster than a significant security breach in that environment due to a lack of understanding or tools to ensure that security.

Where does security for the virtualization infrastructure live in your environment? Or does it?

Hacking Point of Sale
  • You're right inasmuch as it's not the same debate I've been having with Simon, but it's related because where and how security is instantiated has a direct impact upon how it's operationalized and who turns the knobs and flicks the switches.

    I've made the point that the biggest issue we have today with virtualization is organizational and operational and NOT technical. The technology (on a sliding scale) will catch up to a point, and then we'll have another burst of disruptive innovation that will "change everything" and at the same time change nothing.

    It's groundhog day. What's old is new again…

    To that point, your bifurcation of the operational environment between SMB and larger organizations is accurate; given the exposure of what the virtualization platform providers currently offer us as to how we manage security, the VI admins hold the keys to the kingdom in many cases.

    Watch what happens when we see the maturity of technologies such as VMware's VMsafe provide the visibility, networking and security management hooks we don't have today…the security teams will become more prominent because they will have the ability to be!

    It's a frequency shift, not a paradigm shift; as the technology catches up, some operational elements of how security is operationalized will go back to the network and security folks and ultimately some portion will transition back to the server admins, ad infinitum.

    /Hoff