Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Virtualization Security Is Transformational — If the Legacy Security Vendors Would Stop Fighting It

by Neil MacDonald  |  February 13, 2009  |  8 Comments

Hello and welcome to my blog. I will use this blog as a research tool to explore thoughts and observations on the future of information security and I encourage you to provide feedback as a part of that process. I’ll candidly share my thoughts and I hope you’ll share yours.

This is my first posting, so let me tell you a bit about myself. I’m a Vice President and Gartner Fellow with Gartner’s Information Security research area. I’ve been an analyst with Gartner for 14 years. When I joined Gartner, we didn’t even have a formal information security research practice. We now have more than 25 analysts that cover all aspects of information security. I believe that the research I perform and the recommendations I provide clients are much more valuable within a context of how the future will unfold. As such, much of my research involves forward-looking scenarios in how information security technology will evolve — and how information security professionals must evolve with it. I have developed a vision and scenario for the future of information security which I call Adaptive Security Infrastructure which I presented as a complete story for the first time in several keynotes at our various information security events worldwide in 2008.

My primary areas of passion when it comes to information security are:

  • The evolution of endpoint security beyond antivirus
  • Application security – not only how applications should be developed more securely, but also how applications should be architected to consume security services (such as authentication and authorization)
  • Virtualization security

I’ve been researching virtualization security for several years and published dozens of research notes and presentations on the topic. From my discussions with the established security vendors in physical environments, I can tell you they don’t get it.

Many are clinging to business models based on their overpriced hardware-based solutions and not offering virtualized versions of their solutions. They are afraid of the inevitable disruption (and potential cannibalization) that virtualization will create. However, you and I have real virtualization security needs today and smaller innovative startups have rushed in to fill the gap. And, yes, there are pricing discontinuities. A firewall appliance that costs $25,000 in a physical form can cost $2500 or less in a virtual form from startups like Altor Networks or Reflex Systems.

Feature-wise, the security protection services delivered are similar. But, there is a key difference — throughput. What the legacy security vendors forget is that there is still a role for dedicated hardware. There is no way you are going to get full multi-gigabit line speed deep-packet inspection and protocol decode for intrusion prevention from a virtual appliance. A next-generation data center will need both physical and virtualized security controls — ideally, from a vendor that can provide both. I’ll argue that the move to virtualize security controls will grow the overall use of security controls. The move to virtualize security controls reduces barriers to adoption. Rather than a sprinkle a few physical appliance here and there based on network topology, we can now place controls when and where they are needed, including physical appliances as appropriate. If fact, the legacy vendors have a distinct advantage over virtualization security startups since you prefer a security solution that spans both your physical and virtual environments with consistent management.

Over the past six months, I’ve seen signs of life from the legacy physical security vendors. However, some of the legacy physical security vendors have simply taken the code from their physical appliance and moved it into a virtual machine. This is like wrapping a green-screen terminal application with a web front end — it looks better, but the guts haven’t changed. In a data center where workloads move dynamically between physical servers and between data centers, it makes no sense to link security policy to static attributes such as TCP/IP addresses, MAC addresses or servers. Security policy in a virtualized environment must be tied to logical identities – like identities of VM workloads, identities of application flows and identities of users. When VMs move, policies need to move. This requires more than a mere port of an existing solution, it requires a new mindset.

The legacy vendors need to wake up. If they don’t offer robust virtualization security capabilities (and, yes, potentially cannibalize the sales of some of their hardware), another vendor will. With virtualization projects on the top of the list of IT initiatives for 2009, we can’t continue to limp along without protection. It’s time to vote with our wallets and make support of virtual environments a mandatory part of our security product evaluation and selection.

8 Comments »

Category: Virtualization Security     Tags: ,

8 responses so far ↓

  • 1 Michael   February 14, 2009 at 7:55 pm

    (Full disclosure: I am the CTO at Catbird)

    Neil, great post, you will be a welcome voice in the blogosphere!

    Commodity virtualization is indeed a transformative technology. Many organizations are deploying virtualization as fast as possible. Many Virtualized IT architects have left security concerns behind. While, most auditors and risk managers have completely failed to understand the magnitude of risk that they are assuming due to reduced IT controls for the availability, integrity, and confidentiality of their data. Whether at Heartland, Citibank or elsewhere, it is only a matter of time before these increased risks result in a breach.

    For those who do get it, they quickly see that bump in the wire security products that depend on a static geo-location to protect data simply will not work inside a virtualized environment. Even when re-designed to account for virtual machine mobility these devices introduce unacceptable performance and availability risks.

    Catbird is the leader in providing virtual security solutions. From our inception, we understood the consequences of virtualization: security policy and controls for availability, integrity, and compliance must follow the virtual machine. Catbird TrustZones – has enabled our customers to attach security policies and zones of control to virtual machines and their networks.

    I think many Enterprise organizations are waiting for their existing security vendor to get serious about virtual security. I wonder what the cost of this wait and wait and see strategy will really be.

    Meanwhile, I am helping Catbird’s customers achieve the full ROI of their virtual infrastructure investment. I am sure that Altor and Reflex are doing their best to do the same.

    Michael

  • 2 VMsafe: Cool for Virtualization Security, but no Panacea   February 18, 2009 at 6:54 pm

    [...] a previous post, I discussed how the legacy security vendors are fighting the move to virtualize – dragging their [...]

  • 3 VMware Unveils vShield and Raises the Security Bar for all Virtualization Vendors   February 27, 2009 at 11:54 am

    [...] I have discussed from the beginning, the policy enforcement capabilities of information security technologies like firewalls, intrusion [...]

  • 4 VMware Crosses the Rubicon « ARCHIMEDIUS   March 1, 2009 at 12:10 pm

    [...] VP Neil MacDonald summed it up with his recent blog about the traditional security [...]

  • 5 Virtual Appliances are Real   March 9, 2009 at 7:58 am

    [...] virtualized data center. I have also talked about how most of these virtualized security controls are delivered as “virtual appliances” – essentially a VM containing a preinstalled application service that you download and run on [...]

  • 6 The 5 Stages of Virtualization Security Vendor Maturity   March 13, 2009 at 5:41 pm

    [...] There are many security vendors that are still in denial, still in stage one and still dragging their feet in delivering virtualization security solutions. [...]

  • 7 Manu Namboodiri   July 8, 2009 at 7:46 am

    (Full disclosure – I work for BitArmor)
    While I see the value of policies traveling with the virtual devices, I don’t think we take it far enough.We have been “stuck” in the zone of protecting devices, perimeters, networks etc as a proxy to protect the valuable asset – the data itself. I think the real value in virtualization security will not be the incremental benefits coming from protecting the moving virtual environment, but the moving data.

    Especially, considering the fact that virtual environments are inherently shortlived – but the data is the long lived element. This is where the risk becomes even more apparent – why spend all your resources to protect the shortlived virtual elements (which can be brought back up pristine if needed) when you should protect the exposed and long lived element, the data?

    I believe an information-centric approach of security policies embedded and traveling with the data (and enforcing them wherever the data moves), will become the most important method for data protection in virtual environments..

    BTW – love the recaptcha stuff below – more interesting research from CMU :)

  • 8 Neil MacDonald   July 8, 2009 at 9:15 am

    Agree and Disagree.

    First – agree that we’ve been fixated on building walls and locking down devices as a means to the end – protecting workloads and information.

    Agree that Information must be protected, but the continuity and resiliency of the workloads that process and transform the information must be protected as well — virtual environment or physical environment (or spanning both).

    Agree that the mobility of VMs requires security policy enforcement mechanisms that are mobile, including policies protecting the information itself – but I don’t believe this replaces the need to protect the workloads that enable users to process and access the information. Translated: firewalls are still relevant, but they too must become virtualized.