Whatever happened to virtualization security?
Back in the day, everyone was talking about blue pills and red pills, about sideways attacks and DOM-0 threats, about security profiles and isolation policies, about perimeter defense and security embedded in the hypervisor.
Then, all of a sudden, the buzz seemed to disappear. It really seems like organizations simply donâ€™t have the time, money, desire, or otherwise to pursue dedicated virtualization security.
Indeed, it seems like most of the pure-play virtualization security vendors have folded, been sold, or reworked their strategy.
- Blue Lane ended up being sold to VMware, reputedly at a bargain price, after failing to get any traction.
- Third Brigade was rolled up into Trend Micro, and now offers a solution for combined â€˜physical, virtual and cloudâ€™ protection.
- Reflex and Catbird have repositioned to highlight their value in configuration, compliance, and/or systems management (in addition to their security value).
- Tripwire and Configuresoft have long promoted some virtualization security values, but were never really pure-play virtualization security vendors.
- Even security specialists like Symantec and RSA do not push virtualization security products, preferring mainly to build on existing security paradigms to support virtualization.
Of course VMware still has vShield Zones and the VMsafe API, but of the ISVs it seems that only Altor Networks still plays strongly in the pure-play virtualization security space.
This barely sustaining demand for pure-play virtualization security was reinforced last week in new research from Prism Microsystems (PDF), a software vendor in the SIEM market* (which I learned about in eWeek via @JSchroed). Possible vendor/sample bias aside, this research showed quite starkly how many respondents are securing their virtual environment using traditional (or no) security, and how few are using virtualization-specific security:
In confirmation of this ennui, Gartner recently predicted at least a 5 year maturity cycle for virtualization security.
All of this is especially perplexing, because there is no doubt virtualization security is still top-of-mind for some very smart and dedicated people. The Prism Microsystems research, for example, says that 86% of its respondents acknowledge that securing virtualization is as important as securing their physical environment.
So I am unclear as to what is causing this lack of market interest. Perhaps CIOs (and/or CISOs):
- saw virtualization security as unnecessary insurance against threats that have never played out â€˜in the wildâ€™
- rated the potential financial impact of any additional risks as low enough that they can simply accept them
- believe that vShield Zones and VMsafe are all that is needed (but what about Hyper-V, Xen, etc.?)
- decided instead to invest in management disciplines with more straightforward ROI (virtualization, automation, configuration management, asset management, etc.)
- have simply been unable to justify virtualization security purchases during the economic downturn
Whatever the reason, it really does focus the question: does virtualization security really matter?
In my opinion, it absolutely does. Yet, it seems to me that decision makers are saying that standalone virtualization security is more important theoretically, from a technology and business perspective, than it is in practice. Most enterprise buyers â€“ for better or worse â€“ apparently believe that their existing security paradigns are at least â€˜good enoughâ€™. They definitely appear instead to be taking classic intrusion detection, data loss prevention, identity & access, and other entrenched security management disciplines, and adapting them to the new technologies of virtualization (and probably cloud as well).
All of which actually does make sense. Without any major virtualization-specific exploits in evidence, perhaps they are right. While it may be valid to take the view thatÂ it is only a matter of time until they are proven wrong, perhaps extending traditional security capabilities into the virtual world is indeed a good approach, at least for now.Perhaps CISOs are actually ahead of the game, integrating management across virtual and physical domains even while their systems and operations counterparts are maintaining virtualization as a silo.
Regardless of whether it is the right approach or not, one thing is apparent â€“ the heat is off the pure-play virtualization security market, at least for now. As CIOs and CISOs focus on applying traditional physical security paradigms on their virtual environments, a different breed of cross-domain, integrated, and extensible tools are proving superior value â€“ at least for now.