Security professionals might be forgiven for having something of an inferiority complex as we are often the last ones invited to all the cool parties, and then once we show up, everyone thinks we’re buzzkills for spending our time looking for the emergency exits, checking the expiration date on the keg, and testing the batteries in the smoke detectors. Hence, we have to walk a fine line between effectively enabling organizational success and saving the same from plunging headlong through the “Bridge Out” sign into some risk abyss. Often we have to play big brother (in both the upper- and lower-cases senses of the term) to ensure our voice is heard amongst the finance, marketing, and operations people who, we are convinced, stay up way past their bedtimes to conceive of new ways to torment us (though if they are anything like my younger siblings, the annoyances are apparently effortless…).
Popularity: 1%
2 Comments
I’ll admit that I haven’t been as active in the security arenas as I once was–but I try not to be completely ignorant of what is going on; and, frankly, I’m surprised at the implication that most security people are taking the virtualization trend with a grain of salt. Maybe I’ve been hanging out with the wrong crowd, but a colleague of mine published this paper (http://www.f5.com/pdf/white-papers/virtual-data-center-security-wp.pdf) almost 2 years ago. This paper talks about many of the potential risks this new world has to offer.
I’m also surprised to hear a comment like “since a hypervisor hasn’t been exploited in the wild . . .”. First, there have been many reported exploits pertaining to hypervisor’s already (http://www.scmagazineus.com/Two-vulnerabilities-found-in-VMware-virtualization-products/article/107207/, http://www.xboxic.com/news/2485), and rarely has ‘in the wild’ ever been a condition of patching/fixing a system or being concerned anyway.
Second, I never felt that proof was required in a a risk assessment. Due diligence mandates that you list all ‘possible’ risk–real, unreal, imagined or experienced. If you can think of it–it potentially could happen. I used to list alien invasion on all mine–not that I could do much about it, but when the aliens come I would be able to satisfy due diligence and due care. Being concerned about the security of virtualized environments is no where as far-fetched; it is code and its written by humans. ’nuff said.
So–nice post. If information security practitioners really are as ho-hum about virtualization, then we need more posts like this to wake them up. Glad to have you back on the side of distrust and cynicism–right where ALL security people should be.
Ken – I do hope I’m overstating the case, though I was surprised how limited was the information available regarding security for virtual environments. I imagine there are practioners who are quite conversant with it – I’m just not traveling in the same circles!
Regarding hypervisor exploits – even if one hasn’t happened – and I’ve seen a fair amount of scenery-chewing on both sides of that question – I’d have to imagine they will become more common as more organizations virtualize – hard to imagine a changed host deployment paradigm is going to discourage hackers…
While I’m likely by nature to be somewhat circumspect rather than flamboyant in my efforts to advocate security awareness, I hope at least a few readers will take a closer look at the subjects I raise even just to prove me wrong and enlighten all of us in the process.
Distrust and cynicism – I’m from Brooklyn – it’s in the water…