Mark Gaydos wrote an article called “Ops or Security: Who’s Responsible for Securing Virtualization?” that hints at the virtualization survey results that we will be publishing next week, exploring how organizations are assigning responsibility for securing the virtualized environment. I had a chance to review some of the results yesterday, and I can attest that there are some very, very interesting findings.
But, I’ve promised Mark and team that I would not scoop the article…
In the meantime, I find the whole debate of who owns the responsibility of securing the virtualization environment so familiar. I had to do some digging, but I finally discovered why. It was actually a blog posting I wrote from 13 years ago. I’m enclosing an excerpt below:
Who will own 10BASE-T security?
July 1, 1992
The “safe” network vs. the “unsafe” network
As a security professional, I grow increasingly concerned with the advent of the emerging network technology called “Ethernet 10BASE-T.” The flaws of the dominant networking technology now, coaxial 10BASE-2, are well known, as anyone who has accidentally mistaken a 25-ohm resistor with a 50-ohm resister can attest. However, while exciting, 10BASE-T introduces a whole new set of information security and operational risks. Some of the obvious risks are:
• IT will be able to deploy things faster than ever: less control!
• Emerging network switches include “spanning ports” allowing anyone to sniff network traffic: less confidentiality!
• Point to point connections instead of shared bus: less ability to monitor the network!
• IT can utilize existing phone cabling: networks will show up in places we least expect!
Although I ultimately believe that 10BASE-T will eventually replace 10BASE-2, and that it will give information security better control. However, in the transition years, there will be a very dangerous period where the lack of ownership of who owns the 10BASE-T risks will remain ambiguous.
I am working on my presentation on this, which I hope to present at either Black Hat or Phrack.
Gosh, reading what I wrote 16 years ago, I find myself a little embarrassed. It all sounds so shrill and hysterical to me now! What I’ve learned is that as long as someone in IT management owns the controls, whether it’s IT security or IT operations, and the controls are working, even disruptive technologies can help the business achieve its goals, safely and securely.