Virtualization and cloud computing have advanced rapidly despite overarching security concerns. Industry guru and provocateur Chris Hoff predicted a bumpy ride, and some of the vendor and technology fallout, as virtualization deployments spun up -- and lowered costs for some companies -- but security lagged behind. After two years of research and "solid hands-on collaborative work with networking, security and audit practitioners and managers" at enterprises and service providers worldwide, Hoff delivered a landmark presentation on the issues surrounding virtualization security at the Black Hat conference in 2008 that caught people's attention.
Five years later, we are thrilled that he is the author of our November cover story, "Virtualization Security Dynamics Get Old," and catching us up on the past, present, and perhaps most importantly, future of virtualization, cloud computing and security. Many of the problems he initially outlined remain, but progress is being made, writes Hoff:
"Recently, the impact of cloud computing and 'software-defined everything' has caused some of the brittle constructs that were preventing the adoption of new security models to start to give way to more agile, automated and integrated security offerings."
While issues such as which vendors (traditional or virtualization) are responsible for virtual security have yet to be completely worked out, the developments driving software-defined networking and security may shape careers. CISOs and their security teams need to invest in skill sets that support virtualization, cloud computing, Platform as a Service and application-centric security, advises Hoff, or get left behind.
If Web applications, mobile and other software keeps you up at night (and it should), you are in good company. A new slice of the (ISC)2 Information Security Global Workforce Study indicates that CXOs rank application security as a top concern, but spend limited time on it. CISOs may not have direct oversight of development teams, says Cigital CTO Gary McGraw, "but they can handle the software security group." This specially constructed group "sits between security and development and only focuses on software security," he says. Robert Richardson explores this issue, as well as the rest of the data, in his article, "Mixed Messages From the Top."
Software security also plays a key role in strategies to raise costs to attackers as Rob Lemos reports in his article, "Eliminating the Black Hat Bargains." Companies use old desktop applications with out-of-date antivirus software. Many organizations spend an enormous amount of time on patching, yet wait "forever" to address major platform upgrades.
"People have to understand what the exploit development lifecycle looks like," says Dan Guido, chief technology officer of Trail of Bits. "There is a huge cost to attackers when a new platform comes out because it takes time to learn how to exploit it."
Relying on the workforce is also ill advised, according to Guido. "If you want to fail at the black hat budgeting strategy, then training the user is the way to do it," he says. Instead, writes Lemos, companies should focus on improving their anti-phishing technology and customize it in ways the attackers may not be able to anticipate. "It is better to train one device than your entire workforce," Guido says.
Finally, we do some number crunching this month. Marcus Ranum talks with Verizon's Jay Jacobs to find out more about data collection, sample bias and who is really participating in those industry surveys. Could the VERIS framework, Verizon's set of security metrics for analyzing breach data, offer a future standard for incident reporting in regulated industries?
Our new columnist, Pete Lindstrom, continues his probe of security economics and technology risk management with a closer look at breakeven analysis and return on security investment. "As you make ongoing daily decisions to allocate resources for your security program," he writes, "remember that all of those decisions provide insight into your notion of your minimum valuation of risk being addressed."
Enjoy this issue, and let us know what you think!
About the author:
Kathleen Richards is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.
Send comments on this column to firstname.lastname@example.org.