The exploding popularity of virtualization has apparently created virtual realities. In one reality, the VM vendor builds security into its own products, but disregards vulnerabilities that are introduced by the VM's interaction with other software. In another, alternate reality, VM vendors take responsibility for their product's overall security, with regard for bad things that might happen when other software is put on top of it.
In a virtualized IT environment, who is responsible for security? The question has divided pundits into fundamentalist factions. For a taste of the debate, look no farther than the words war between Simon Crosby at Citrix, a virtualization software vendor, and Chris Hoff, Chief Security Architect at Unisys. Crosby argues that every vendor is responsible for their own products, not others'. Citrix will take care that it's Xen VM is protected, but someone else had better be minding that the operating system's touchpoints with the VM don't introduce vulnerabilities.
Hoff, on the other hand, points out that putting security responsibility on each software vendor ignores the fact that virtualization, or any complex new technology, will introduce new vulnerabilities--Windows 2000 was introduced with over 20K defects. Software in general is on a trajectory of escalating complexity, spawning more interfaces, metaphors, standards, protocols, products, <insert your favorite software characteristic here>. Throwing in a VM just opens another door to an exploit.
Personally, I fall into Hoff's camp. But for a balanced, level-headed viewpoint, read William Jackson's story in Government Computer News. It takes the Crosby-Hoff debate down to it's essence. So who owns security? It depends on your reality.
►
Monday, July 14, 2008
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment