Depending on the situation and who you listen to, you can get different answers to this question. This is not the same debate that Simon Crosby (Citrix CTO) and Chris Hoff have been having. This question is aimed at the customer – who cares about virtualization security today and who will care about virtualization security as virtualization adoption grows. Who uses these tools will have an impact on how they are designed, where they integrate and the level of detail.
The virtualization providers would claim that the Virtualization Infrastructure Admin is the owner of security in a virtual world. That might be true in some instances but why is that true? I can see this in a SMB company where the person who is managing the virtual infrastructure is the same person who is in charge of security for those assets. This is probably true today in an environment of a larger company where virtualization has not has not become prevalent in the datacenter. In these types of environments the VI admin may own the security because the virtual deployment in production has not reached a level that has gotten the security owner’s attention.
Or is there a paradigm shift as to how and who manages security? Obviously security is important in a virtual world and this environment creates new challenges, but who owns virtual security in your world and why? As virtualization starts to become more widely used in production, companies will see a shift in how the parts of virtualization are managed but the VI Admin still needs to ensure a secure environment because nothing will slow the adoption of virtualization in the production environment faster than a significant security breach in that environment due to a lack of understanding or tools to ensure that security.
Where does security for the virtualization infrastructure live in your environment? Or does it?