Skip to main content

Virtualization and Security: The real truth!

So, my attempt to drag out some members of the community did work. It did get me some unfriendly and nasty response. As Joseph Goebbels said:

“If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The lie can be maintained only for such time as the State can shield the people from the political, economic and/or military consequences of the lie. It thus becomes vitally important for the State to use all of its powers to repress dissent, for the truth is the mortal enemy of the lie, and thus by extension, the truth is the greatest enemy of the State.”

Well that was a time when the web didn't exist and couldn't exert one uniform pressure on the masses to believe the lie or the distorted truth, which ever way you call it. Fortunately the web is a medium where the truth just exists. I was glad to see that Chris was able to spend some time and dissect the post, even though he was on wine.

So how true is the real truth? (I'll quote my own post here)


  • This is a validation of the fact that Virtualization is going mainstream.
  • Security and Compliance will be core focus of all organizations (as regulators will come knocking at your doorsteps)
  • Virtual Infrastructures are easier to batten down and secure due to its uniformity.
  • Regulators will increasingly ask for audits, where as in traditional environments (I've seen such audits by the like of KPMG etc) and always wondered like "wow--you are so prepared, dude, NOT!", Virtual environments suddenly enables auditors to ask the right questions and get or not get the expected results.
  • Focus on security would mean that we will have to work harder to provide a secure and compliant virtual platforms.

So, I welcome this shift. Virtualization platform are secure and have been secured, the ones that aren't, should start doing it right away. I'll be personally speaking in an event in November on security and why a "secure and compliant practice will enhance your competitive edge", its not just about securing, your customers want to know if they are secure with you.
Truth or reality (obviously, as I see it):

- Virtualization is about to change the way you have been thinking about security forever. Virtual Infrastructure's are like floating blocks on thin ice. Get security assessment before you get started and try to take it in your design by default.

- The most-provocative line: Virtualization platform are secure and have been secured, the ones that aren't, should start doing it right away. I think I should have got more response/critique than ever here. Virtual platforms and the security around it, is a whole new ball game. We need to understand it first before making assumptions that they are secure upon installation.

It was a mere attempt to get some feedback. The whole point was to get past the skepticism around security. Many organizations are not informed in advance of the security and performance pitfalls around virtualization. Should you be able to articulate it in your discussions with the customer, they will be less apprehensive to adopt virtualization. Security should be treated as an enabler while adopting virtualization and not as a show-stopper when an organization is at the brink of a technology refresh.

Comments

Popular posts from this blog

Security: VMware Workstation 6 vulnerability

vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware products as well type of vulnerability: DoS, potential privilege escalation I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially run arbitrary code with kernel privileges. The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially execute arbitrary code. Security focus

Splunk that!

Saw this advert on Slashdot and went on to look for it and found the tour pretty neat to look at. Check out the demo too! So why would I need it? WHY NOT? I'd say. As an organization grows , new services, new data comes by, new logs start accumulating on the servers and it becomes increasingly difficult to look at all those logs, leave alone that you'd have time to read them and who cares about analysis as the time to look for those log files already makes your day, isn't it? Well a solution like this is a cool option to have your sysadmins/operators look at ONE PLACE and thus you don't have your administrators lurking around in your physical servers and *accidentally* messing up things there. Go ahead and give it a shot by downloading it and testing it. I'll give it a shot myself! Ok so I went ahead and installed it. Do this... [root@tarrydev Software]# ./splunk-Server-1.0.1-linux-installer.bin to install and this (if you screw up) [root@tarrydev Software]# /op

Virtualization is hot and sexy!

If this does not convince you to virtualize, believe me, nothing will :-) As you will hear these gorgeous women mention VMware, Akkori, Pano Logic, Microsoft and VKernel. They forgot to mention rackspace ;-) virtualization girl video I'm convinced, aren't you? Check out their site as well!