Security blogger Chris Hoff and Citrix CTO Simon Crosby discuss whether security companies or virtualization vendors should be responsible for the security of virtual environments. In part two of the discussion, Crosby and Hoff talk about how the industry is challenged by vendor proprietary interests despite the desire by customers for highly automated environments.
Part 1:Who should be responsible for the security of virtual environments?
Part 2:Who should secure virtual IT environments?
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact email@example.com.
Who should secure virtual IT environments? (Part 2)
Simon Crosby : There's one thing that's important to return to because it's, in
general, spoken of a lot which is this concept of the next generation data
center OS. And the security people have always focused on the security of
OS as the host of an app. Let me tell you a couple of things I'm sure of.
One, we still can't forget about an OS, and that's just one thing running
on one server. And that was hard. So, we certainly haven't figured out for
a next-generation datacenter OS. Moreover, if that thing were to exist
absent some very well-defined industry standardized notions of how security
functions and policies plug in a standardized way, it's never going to
exist because the IT infrastructure is fundamentally a multi-vendor place.
And this next-generation datacenter OS is going to have to orchestrate all
of those different vendors' stuff. So, the conversation around how you
secure that, how you should plug the vendors' stuff into it, how you
standardize the notions of policy and various other things has to be had.
And that's a very important conversation for the security industry as a whole
to start to have. It challenges us because we have to cross vendor
boundaries at that point. And so, here's what you see. You see a tendency
which is a huge desire on the part of the customers to go to more highly
automated environment, more internal cloud-like, or whatever you want to
call it, but it's inherently challenged by vendor proprietary interests,
which dictate that people don't want to open up those interfaces and don't
what to have that industry-wide conversation, which remains that enterprise
customers will still be stuck with bastions of proprietary stuff, which
won't be secure. So, it sort of stands in the way of the whole objective of
getting towards greater automation.
Chris Hoff: So, the automation, governance, orchestration, those are
incredibly difficult things to do across a heterogeneous environment,
right? So, I made the point previously that trying to facilitate even the
basic amounts of provisioning across switches and routers and servers and
operating systems today without virtualization, is hard enough.
Virtualization could be interpreted as making that easier, or making it
more difficult, depending upon how you integrate and whose solutions you
integrate. So, I think the point that Sam is eluding to is that we have a
very siloed approach towards what security means by definition. We have a
network perspective, we have the host perspective, we have the operating
system itself from the perspective, we have the information center
perspective, we have user-centered perspective, we have application-
centered perspective, and we kind of flip across this hamster sign wave of
pain, as I call it. In terms of how we invest, we chase the various
problems that react to the threat curve. So there are all these
intersecting interests that happen when we deal with defining security. And
so, in the long term, if I was a betting man, virtualization has
essentially just either made it easier or more difficult, depending on
which side of the line you stand on, to get to the point that this
automation can be delivered. And in many cases, people look at, you've
noticed the byline of achieving 100% automation is dependent upon in many
cases becoming 100% virtualized. I don't know any environments that are not going to be So that, in and of itself, needs to be dealt with, as it relates to the emergence of
standards, and openness and extensibility. Those are all those fun, and in
many cases, could be illustrated as corner cases, philosophical and
religious base. But they are very important, as it relates to making sure
that while you may have three top vendors in IT as your largest environment
as related to investment. It doesn't necessarily mean that you're going to
be able to achieve what it is you need to achieve without taking the rest
of the big picture into consideration with the non-virtualized environment,
and what that means to you when you move to cloud. So, it's very tricky.
Simon Crosby: So then, just to come back to the beginning of this, what is the role
of the virtualization platform vendor? Well, the hypervisor in my view,
tiny. Right? 100,000 lines of code or less, embedded in memory,
securely booted through the TBM, securely bootstrapped, check everything,
and so on. It's not an OS. Anybody who claims it an OS is trying to sell
you more features than you need. I think the hypervisor server context is
not done. It's just very clear how it goes, and goes as a function of MOZ
[SP] law, both in the outer domain and the CP memory and everything else.
And we know how to solve those problems; but it shouldn't become an OS. It
needs to have a tiny footprint, and by making it tiny you then reduce its
attack surface. Okay? And then it's all about, how then in the context of
virtualization, can I protect the guest. That's about opening up the
interfaces at the right places so the people who know about guests and know
about apps can protect the things that are in those containers. It has got
very little to do with me other than I need to open up an interface, and
that interface needs to be secure in its own right. And then you take care
of the hypervisor security, specifically by just making it a tiny little
thing that shims between a real hardware and a virtual hardware. And so,
then I return [to] my core point, which is the hypervisor, we're not a security
vendor. Fundamental to what we do should be that we are secure and that
every line of code should be open and should checkable; and that the
security industry should be able to say to us, we need these interfaces,
and this is how you should secure them. And then I know what my job is,
it's really simple.
Chris Hoff: So philosophically, there is actually nothing I disagree with
there. Realistically and interesting to one of the first points about the
dominant player on the market today in VMware, their approach is
diametrically opposed. And so, I will agree that Simon's definition, and
this is kind of where we stepped off at one point in a debate we were
having, Simon's definition as it relates to the products and how he
represents virtualization in the platform that delivers it. I totally
understand and agree with him in that respect. If I put my other hat on and
I look at the dominant player in that market space, from that perspective I
would say, given how pervasive that solution is, even though it's getting
thinner, some of that thinness is being traded off by how much is being
exposed externally to interact with other things that they would probably
agree they don't have the core competency in either.
Simon Crosby: Right.
Chris Hoff: So, that's the kind of philosophical architectural balance I was
eluding to earlier, and that's the difficult portion here. If that is a
dominant approach, and users aren't protesting that out of whatever reason,
and that's kind of why I raise these issues a lot about networking.
Simon Crosby: Well, there haven't been a lot of attacks.
Chris Hoff: No, there haven't. Right. And to the point, the funding we've
discussed the other day of how when you look at some of these proof of
concept of attacks, they Xen because first of
all the source code is available, it's easy to get. So ultimately that's
why you see that being used as a platform. So, there are all sorts of
interesting debates for a follow on, but there are two different
perspectives, and neither one is right or wrong; it just depends where
you're coming from.
Mike Mimoso: Well, thank you both for joining me today. I'm Mike Mimoso, Editor of
Information Security magazine, and thanks for watching.