Comments on: Virtualization Security Is Transformational — If the Legacy Security Vendors Would Stop Fighting It http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/ A Member of the Gartner Blog Network Thu, 09 Feb 2012 23:32:29 +0000 hourly 1 http://wordpress.org/?v=3.0.4 By: Neil MacDonald http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-371 Neil MacDonald Wed, 08 Jul 2009 14:15:53 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-371 Agree and Disagree. First - agree that we've been fixated on building walls and locking down devices as a means to the end - protecting workloads and information. Agree that Information must be protected, but the continuity and resiliency of the workloads that process and transform the information must be protected as well -- virtual environment or physical environment (or spanning both). Agree that the mobility of VMs requires security policy enforcement mechanisms that are mobile, including policies protecting the information itself - but I don't believe this replaces the need to protect the workloads that enable users to process and access the information. Translated: firewalls are still relevant, but they too must become virtualized. Agree and Disagree.

First – agree that we’ve been fixated on building walls and locking down devices as a means to the end – protecting workloads and information.

Agree that Information must be protected, but the continuity and resiliency of the workloads that process and transform the information must be protected as well — virtual environment or physical environment (or spanning both).

Agree that the mobility of VMs requires security policy enforcement mechanisms that are mobile, including policies protecting the information itself – but I don’t believe this replaces the need to protect the workloads that enable users to process and access the information. Translated: firewalls are still relevant, but they too must become virtualized.

]]> By: Manu Namboodiri http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-369 Manu Namboodiri Wed, 08 Jul 2009 12:46:47 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-369 (Full disclosure - I work for BitArmor) While I see the value of policies traveling with the virtual devices, I don't think we take it far enough.We have been "stuck" in the zone of protecting devices, perimeters, networks etc as a proxy to protect the valuable asset - the data itself. I think the real value in virtualization security will not be the incremental benefits coming from protecting the moving virtual environment, but the moving data. Especially, considering the fact that virtual environments are inherently shortlived - but the data is the long lived element. This is where the risk becomes even more apparent - why spend all your resources to protect the shortlived virtual elements (which can be brought back up pristine if needed) when you should protect the exposed and long lived element, the data? I believe an information-centric approach of security policies embedded and traveling with the data (and enforcing them wherever the data moves), will become the most important method for data protection in virtual environments.. BTW - love the recaptcha stuff below - more interesting research from CMU :) (Full disclosure – I work for BitArmor)
While I see the value of policies traveling with the virtual devices, I don’t think we take it far enough.We have been “stuck” in the zone of protecting devices, perimeters, networks etc as a proxy to protect the valuable asset – the data itself. I think the real value in virtualization security will not be the incremental benefits coming from protecting the moving virtual environment, but the moving data.

Especially, considering the fact that virtual environments are inherently shortlived – but the data is the long lived element. This is where the risk becomes even more apparent – why spend all your resources to protect the shortlived virtual elements (which can be brought back up pristine if needed) when you should protect the exposed and long lived element, the data?

I believe an information-centric approach of security policies embedded and traveling with the data (and enforcing them wherever the data moves), will become the most important method for data protection in virtual environments..

BTW – love the recaptcha stuff below – more interesting research from CMU :)

]]> By: The 5 Stages of Virtualization Security Vendor Maturity http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-32 The 5 Stages of Virtualization Security Vendor Maturity Fri, 13 Mar 2009 22:41:19 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-32 [...] There are many security vendors that are still in denial, still in stage one and still dragging their feet in delivering virtualization security solutions. [...] [...] There are many security vendors that are still in denial, still in stage one and still dragging their feet in delivering virtualization security solutions. [...]

]]> By: Virtual Appliances are Real http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-26 Virtual Appliances are Real Mon, 09 Mar 2009 12:58:48 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-26 [...] virtualized data center. I have also talked about how most of these virtualized security controls are delivered as “virtual appliances” – essentially a VM containing a preinstalled application service that you download and run on [...] [...] virtualized data center. I have also talked about how most of these virtualized security controls are delivered as “virtual appliances” – essentially a VM containing a preinstalled application service that you download and run on [...]

]]> By: VMware Crosses the Rubicon « ARCHIMEDIUS http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-13 VMware Crosses the Rubicon « ARCHIMEDIUS Sun, 01 Mar 2009 17:10:46 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-13 [...] VP Neil MacDonald summed it up with his recent blog about the traditional security [...] [...] VP Neil MacDonald summed it up with his recent blog about the traditional security [...]

]]> By: VMware Unveils vShield and Raises the Security Bar for all Virtualization Vendors http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-11 VMware Unveils vShield and Raises the Security Bar for all Virtualization Vendors Fri, 27 Feb 2009 16:54:47 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-11 [...] I have discussed from the beginning, the policy enforcement capabilities of information security technologies like firewalls, intrusion [...] [...] I have discussed from the beginning, the policy enforcement capabilities of information security technologies like firewalls, intrusion [...]

]]> By: VMsafe: Cool for Virtualization Security, but no Panacea http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-3 VMsafe: Cool for Virtualization Security, but no Panacea Wed, 18 Feb 2009 23:54:22 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-3 [...] a previous post, I discussed how the legacy security vendors are fighting the move to virtualize – dragging their [...] [...] a previous post, I discussed how the legacy security vendors are fighting the move to virtualize – dragging their [...]

]]> By: Michael http://blogs.gartner.com/neil_macdonald/2009/02/13/virtualization-security-is-transformational-if-the-legacy-security-vendors-would-stop-fighting-it/comment-page-1/#comment-2 Michael Sun, 15 Feb 2009 00:55:12 +0000 http://blogs.gartner.com/neil_macdonald/?p=3#comment-2 (Full disclosure: I am the CTO at Catbird) Neil, great post, you will be a welcome voice in the blogosphere! Commodity virtualization is indeed a transformative technology. Many organizations are deploying virtualization as fast as possible. Many Virtualized IT architects have left security concerns behind. While, most auditors and risk managers have completely failed to understand the magnitude of risk that they are assuming due to reduced IT controls for the availability, integrity, and confidentiality of their data. Whether at Heartland, Citibank or elsewhere, it is only a matter of time before these increased risks result in a breach. For those who do get it, they quickly see that bump in the wire security products that depend on a static geo-location to protect data simply will not work inside a virtualized environment. Even when re-designed to account for virtual machine mobility these devices introduce unacceptable performance and availability risks. Catbird is the leader in providing virtual security solutions. From our inception, we understood the consequences of virtualization: security policy and controls for availability, integrity, and compliance must follow the virtual machine. Catbird TrustZones - has enabled our customers to attach security policies and zones of control to virtual machines and their networks. I think many Enterprise organizations are waiting for their existing security vendor to get serious about virtual security. I wonder what the cost of this wait and wait and see strategy will really be. Meanwhile, I am helping Catbird’s customers achieve the full ROI of their virtual infrastructure investment. I am sure that Altor and Reflex are doing their best to do the same. Michael (Full disclosure: I am the CTO at Catbird)

Neil, great post, you will be a welcome voice in the blogosphere!

Commodity virtualization is indeed a transformative technology. Many organizations are deploying virtualization as fast as possible. Many Virtualized IT architects have left security concerns behind. While, most auditors and risk managers have completely failed to understand the magnitude of risk that they are assuming due to reduced IT controls for the availability, integrity, and confidentiality of their data. Whether at Heartland, Citibank or elsewhere, it is only a matter of time before these increased risks result in a breach.

For those who do get it, they quickly see that bump in the wire security products that depend on a static geo-location to protect data simply will not work inside a virtualized environment. Even when re-designed to account for virtual machine mobility these devices introduce unacceptable performance and availability risks.

Catbird is the leader in providing virtual security solutions. From our inception, we understood the consequences of virtualization: security policy and controls for availability, integrity, and compliance must follow the virtual machine. Catbird TrustZones – has enabled our customers to attach security policies and zones of control to virtual machines and their networks.

I think many Enterprise organizations are waiting for their existing security vendor to get serious about virtual security. I wonder what the cost of this wait and wait and see strategy will really be.

Meanwhile, I am helping Catbird’s customers achieve the full ROI of their virtual infrastructure investment. I am sure that Altor and Reflex are doing their best to do the same.

Michael

]]>