Hello and welcome to my blog. I will use this blog as a research tool to explore thoughts and observations on the future of information security and I encourage you to provide feedback as a part of that process. I’ll candidly share my thoughts and I hope you’ll share yours.
This is my first posting, so let me tell you a bit about myself. I’m a Vice President and Gartner Fellow with Gartner’s Information Security research area. I’ve been an analyst with Gartner for 14 years. When I joined Gartner, we didn’t even have a formal information security research practice. We now have more than 25 analysts that cover all aspects of information security. I believe that the research I perform and the recommendations I provide clients are much more valuable within a context of how the future will unfold. As such, much of my research involves forward-looking scenarios in how information security technology will evolve — and how information security professionals must evolve with it. I have developed a vision and scenario for the future of information security which I call Adaptive Security Infrastructure which I presented as a complete story for the first time in several keynotes at our various information security events worldwide in 2008.
My primary areas of passion when it comes to information security are:
- The evolution of endpoint security beyond antivirus
- Application security – not only how applications should be developed more securely, but also how applications should be architected to consume security services (such as authentication and authorization)
- Virtualization security
I’ve been researching virtualization security for several years and published dozens of research notes and presentations on the topic. From my discussions with the established security vendors in physical environments, I can tell you they don’t get it.
Many are clinging to business models based on their overpriced hardware-based solutions and not offering virtualized versions of their solutions. They are afraid of the inevitable disruption (and potential cannibalization) that virtualization will create. However, you and I have real virtualization security needs today and smaller innovative startups have rushed in to fill the gap. And, yes, there are pricing discontinuities. A firewall appliance that costs $25,000 in a physical form can cost $2500 or less in a virtual form from startups like Altor Networks or Reflex Systems.
Feature-wise, the security protection services delivered are similar. But, there is a key difference — throughput. What the legacy security vendors forget is that there is still a role for dedicated hardware. There is no way you are going to get full multi-gigabit line speed deep-packet inspection and protocol decode for intrusion prevention from a virtual appliance. A next-generation data center will need both physical and virtualized security controls — ideally, from a vendor that can provide both. I’ll argue that the move to virtualize security controls will grow the overall use of security controls. The move to virtualize security controls reduces barriers to adoption. Rather than a sprinkle a few physical appliance here and there based on network topology, we can now place controls when and where they are needed, including physical appliances as appropriate. If fact, the legacy vendors have a distinct advantage over virtualization security startups since you prefer a security solution that spans both your physical and virtual environments with consistent management.
Over the past six months, I’ve seen signs of life from the legacy physical security vendors. However, some of the legacy physical security vendors have simply taken the code from their physical appliance and moved it into a virtual machine. This is like wrapping a green-screen terminal application with a web front end — it looks better, but the guts haven’t changed. In a data center where workloads move dynamically between physical servers and between data centers, it makes no sense to link security policy to static attributes such as TCP/IP addresses, MAC addresses or servers. Security policy in a virtualized environment must be tied to logical identities – like identities of VM workloads, identities of application flows and identities of users. When VMs move, policies need to move. This requires more than a mere port of an existing solution, it requires a new mindset.
The legacy vendors need to wake up. If they don’t offer robust virtualization security capabilities (and, yes, potentially cannibalize the sales of some of their hardware), another vendor will. With virtualization projects on the top of the list of IT initiatives for 2009, we can’t continue to limp along without protection. It’s time to vote with our wallets and make support of virtual environments a mandatory part of our security product evaluation and selection.