This is how it begins.
Things are going along great, your technology is catching fire in enterprises around the world, your IPO is the hottest thing on Wall Street since Google and everyone is clamoring for a piece of the action. Then, one day you wake up and find out that there are a couple of pesky security flaws in some of your core products and attackers are stumbling over each other looking for ways to exploit the problems. Next thing you know, your products will be the favored pin cushions of hackers everywhere, as they poke at the soft underbelly of your code base.
This is the reality facing executives at VMware today. The company's server virtualization technology is one of the current darlings of the industry, drawing praise for its ability to cut hardware and power costs in the data center while giving administrators tight control of the systems. Customers display an almost religious fervor when discussing the capabilities of VMware's ESX Server and the ways in which it has saved them time, manpower and money, which in turn makes them heroes in the executive suite. But as virtualization moves from a niche technology deployed mainly in massive data centers to an enterprise-level platform poised to take on the desktop, and VMware takes its place among the titans of the tech industry, security needs to be more of a priority for the company.
VMware right now is synonymous with virtualization in the way that most marketing execs can only dream of. It is the virtualization equivalent of Xerox or Band-Aid, interchangeable with the technology itself. Virtualization isn't yet as widely deployed as Windows or even Linux, but most analysts and industry observers believe that it's only a matter of time before the technology becomes a part of most enterprise networks, in one form or another. Whether it's on the desktop or the server side, the accepted wisdom seems to be that virtualization is The Next Big Thing. Whether that comes to fruition remains to be seen, but just as Microsoft's focus on security six years ago brought attention to the need for better security across the board, VMware is uniquely positioned to make security an integral part of the virtualization platform.
The problem is that VMware is being rather coy about its security strategy right now. At its VMworld conference in San Francisco earlier this month, company executives brushed aside questions about security, preferring to talk about the new version of ESX Server. All we know is that VMware acquired host intrusion prevention specialists Determina last month and is planning to integrate that company's technology into ESX Server at some indeterminate point in the future.
"Determina fits into our security plans. But our plans in security are not at a point where we would announce anything," VMware CEO Diane Greene told a room full of reporters at the conference.
Obviously, what's important here is whether VMware actually has plans in the works, and not whether they announce them to the media. But they'll have to do better than that if they want to avoid the kind of public customer backlash that Microsoft, Oracle and others have suffered through in recent years. If nothing else, VMware leadership should have taken the opportunity of addressing 10,000 of its customers at VMworld to explain that security is a priority at the company and they're working on new technologies/strategies/whatever to ensure its products are as secure as possible. Instead, company executives were noisily touting VMware ACE and its other desktop products as the cure-all to security issues on client PCs.
Bold words. Such claims tend to come back to haunt the claimants (See: Ellison, Larry re: Unbreakable.), and more often than not goad researchers and attackers into action. Indeed, VMware released a slew of patches just this week to fix flaws across its product line, including ACE and ESX Server. This shows that researchers are beginning to put some effort into finding VMware bugs, but that's likely only the tip of the iceberg. As sure as bank robbers go where the money is, researchers and attackers go where the action (read: high-value targets) is.
Developing a sound security strategy takes time, and it's better to get it as right as possible the first time than to rush out something that's incomplete and unworkable. The good news for VMware and its customers is that the Determina acquisition has not only brought the company some good technology, it's also brought some top tier security talent, folks who have been through the wars and know what it takes to win the hearts and minds of enterprise IT staffs. Nand Mulchandani, one of the founders of Determina, and before that one of the founders of identity management vendor Oblix, is now heading up the security efforts at VMware and you can bet that he'll be pushing hard for a comprehensive, meaningful strategy, not just a press release.
It seems likely that VMware will get this right eventually. Greene is talked about as one of the smarter executives in the industry and now that her company is public and under the increased scrutiny that brings with it, she and the rest of the executive team can ill afford to ignore an issue as vital as security. All they need to do is look at Microsoft circa 2001 to see how that strategy works out.