Virtualization: Disruptive technologies part 4

Is there a future for vendors offering security solutions for virtualized environments, or will security eventually be almost entirely built-in? Experts Chris Hoff, Rich Mogull and Dino Dai Zovi discuss.

Also check out:

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

Virtualization: Disruptive technologies part 4

Interviewer: We've already seen a little bit of a mini security industry
spring up around the virtualization vendors. Do you think that we are
going to continue to see that, or, ultimately, will the security be built
into the virtualization offerings themselves?

Chris Hoff: The answer to your question is yes, on both fronts. I
recently got into a little debate, that's a good word for it, with Simon
Crosby from Citrix, and the comments, however inflammatory they may have been on
either side of the argument, was that there are kind of two camps on this
front. Which is, hey, I'm a platform provider, and I provide you this, and
I need the ecosystem of security and the managing and extending that
platform to third parties. I have a slight problem with that, in as much
as that perpetuates the exact model that we've had with operating system
and operating system vendors and the issue of vulnerability and remediation
of vulnerabilities and that lifecycle over time. As well as when you kind
of kick the responsibility out to make people buy more tools, they
generally, in a stressed financial situation, will not buy those tools,
which makes the world, and universe in general, less secure. My opinion is
kind of option number two, which is, hey, Mr. Virtualization Vendor, make
your platform as secure as you possibly can, by design, by coding. You do
all the right things there, and then make the process of both extended to
the ecosystem, as well as make that as flexible and easy and cost-effective
as possible.

So what you ought to do is bundle in some capability to allow me to be
flexible in my design, if I'm an end user, to add levels of security that
are commensurate with the risk that I want to manage. If I have to, for
example, to protect the hypervisor against attack by a VM, go out spend,
whether it's a thousand dollars or ten thousand dollars on virtual clients
or hardware clients. Why should I do that, as opposed to you building an
API into that hypervisor. For example, let's use what I already have as an
ecosystem builds, would attract a bunch of the low-hanging fruit and a
colander approach? We know that malware exhibit certain behaviors, and it
does certain things that are obviously abhorrent. Why don't you just fix
those problems before they become a problem? And that's kind of my point.
So, VMware has done that with VMsafe, and Citrix/Simon Crosby has a
separate perspective, which is, you know, that's really not my problem. At
least, that's my interpretation of it, and a lot of others, and I think
somewhere in the middle is probably the right answer.

Rich Mogull: Well, he builds a ridiculous ecosystem. Look what happened
with that operating system. So, to give you an example, the problem with
the security industry, and this is almost off-topic, is when people's money
is invested on people being insecure, it creates certain little ethical
issues. And, so, we have Microsoft trying to lock down the operating
system. In 64-bit Windows Vista, they tried to lock the kernel, and nobody
said they were going to run their little kernel hacks any more. You have
many virus vendors taking out full page ads in the Wall Street Journal.
Yeah, antitrust. So, basically, they were saying, Microsoft, now show me
that product less secure so we can make money. Which is basically what it
comes down to. And so for Citrix, if they want to take that approach,
that's fine, and even VMware, I think, is probably going to get hamstrung
to the point where, oh, well, we found a new way to secure the hypervisor,
but we can't go ahead and do that because it's going to piss of all of our
security partners. The bad news is, I think, it's just going to be a mess.
Hopefully, they can take the right approach now.

Dino Dai Zovi: There's a lot of debate, I think. Bruce Schneier has been
talking about this a lot, as to whether security is going to move into our
products or whether it has to keep being this third-party industry, which
is less efficient. Building a new platform, you have the most knowledge of
what the security pitfalls can be and the most access to it. I think a
certain level of due diligence should be done by product manufacturers. And
VMware is taking a big step there with VMsafe. But, personally, I want
more. I think, for instance, VMware bought Determina. Determina had some
awesome technology that used dynamic binary translation to re-execute
binaries, basically they were being rewritten on the fly, so you could pack
systems with zero downtime. Dynamic binary translation is one of the
cornerstones of VMware's product. They use it to make sure that supervisor
code can be run safely in the hypervisor. They have a lot of the
capability to deliver downtime-free virtual machines. For the majority of
patches, they could basically fix dynamic binary translation in your
guests. If they could do that for Windows and say, you run on our
platform, and you don't have to patch most of the time, that's awesome. I
think, basically, they could take that step, and it's enough work that a
third party vendor may not.

Rich Mogull: By the way, the unicorns and the rainbows over here, which I
think is what all of us would like to see, and then I think we have, I
don't want to call it an enemy, we've got some piece of steaming pile of
something over here, and all the flies fighting for their bits of the
steaming pile. Which, not to be too negative, but, I think that's where we're
headed. Realistically, I think it's going to be a little bit in the
middle, and I hate to be cynical, I think it's slightly going to in the negative.
I think some of the vendors, like VMware can have the VMsafe programs. I
think those programs are going to be somewhat compromised by security
vendors who want things opened up or want to control aspects of those
programs, which is going to negatively effect the companies that perhaps
VMware is going to implement themselves. We're going to see some good
probably start-up their products. We've seen those kind of things, the
Blue Lane kinds of things and other stuff coming out, that can potentially
fit into some of the security features that we need. It's going to be a
free for all, and I think a lot of this that we would all probably love to
see, in terms of how people do this, isn't going to happen. So, again,
practical advice is, just be careful. Know where your data's going, know
where it's flowing, know where stuff's positioned, and just be ready to

Chris Hoff: Well, you know what's interesting, though, I guess that
theories true, if you are willing to accept the kind of definition of
what security means to us today, if security changes, where we start
really talking about the understanding where data is moving, and we become
more, I'll use our term, information sensory, but that's alright. But
somebody else did forty years ago, so I can't take all the credit. As we
start to focus on that, rather than the network, which has also become
this, we've got so much technology available to solve lots and lots of
problems. And thinking of the host, it's becoming more apparent to people
that's less important over time, all right, that we ought to focus on the
information itself. As that happens, then security tools, and I'm starting
to write about this, become, and Joe Schneider has talked about this a lot
in the reference of what he finds IDS systems are. Where, in many cases as
they're deployed, IDS systems aren't security tools that detect intrusion.
They are tools that give you a really interesting level of visibility into
how data is moving around your network.

A lot of these tools, the Blue Lanes, the LTORs, the start-ups in this
space, when you look at what their products do, and you look at how they
represent management, it usually, for example, in VMware, their plug-in is
just a virtual center. So the folks that, to go back to the first question
that you asked, the folks that are actually looking at those panels, the
control, the widgets and dots and dashboard, they're not security people.
They get one representation visualizing, kind of, security, but it's from
a visibility perspective. What kind of traffic is going through VMs?
How does it match the policy or profile that I have that has illustrated
credit card data. Why is credit card data going from virtual segment and
that program to the other one? Security, by definition, will also
change. In which case, so will the tools and their applications and what
people expect out of them, as will who's actually administrating them. You
know, we've got a little bit of that going too, which I think is important
to recognize, and that's why we answered. It's organizational and
operational, then our expectations from what security means will also

Dino Dai Zovi: When you think about it, a lot of this stuff has been
solved a long time ago, really. Every now and then, I like to think about
things from a thousand-year view, just to take a step back, and think about
some other kind of asset, like fiscal assets, like money. Does a bank keep
some money here, some money there, some money there, oh, good let's take a
big stack of money over there. That's very good, very important
information. Our important information is scattered everywhere. We just
got to put it in the vault, watch where it goes. I mean, it takes more
thought, but the problem's already solved. We just can't manage to keep
our information, keep track of our information. And, so, using IDS
datalink prevention, not that we're not getting the value out of these,
as Chris mentioned. It's just getting visibility to the data flows, because
they just have no idea what they are.

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.