May 07

There’s no silver bullet

I’m frequently asked about virtualization and cloud security. Usually it starts with a phone call from a sales guy asking “How do I secure the Vblock?” or “What can we sell to secure VMware?” I usually counter these statement with “Tell me the problem you’re trying to solve”.

Once I know what’s actually being asked, I’m usually left having to break the news. There’s no silver bullet. I can’t send you a USB key with the “Secure the Vblock” app on it so you can plug it in and “make it secure”. <\bubble burst>

“But why not Mike?” It’s because there’s just too many moving pieces and too many definitions of what “secure” means. Let’s break that down a bit.

How many moving pieces? Tons. When you think of all the settings you can change that could possibly impact security, it starts to boggle the mind. I’m reminded of two things. “The Butterfly Effect” where one change in a nonlinear system can radically change the outcome and the Mandlebrot fractals, where changing one variable can change the image displayed.

What’s your definition of “secure”? Everything encrypted? All I need is vShield? Twelve character passwords? Logging everything to a SIEM? Updating patches?

The list goes on. (and on…)

With virtualization, we’re putting a huge responsibility on the infrastructure to be secure. Unfortunately, some still treat it as an application and forego things like design. Security is still a “bolted on” construct. IT and Security are still not working together.

Because of the complexity, we need to use more tools. We need to automate and be able to work at scale. IMHO, “Cloud” is not about IaaS, PaaS, SaaS or any of the other *aaS’s. Cloud is about Scale. That means security needs to be able to scale. That means we CAN’T keep doing things the way we always have. (a better excuse for an audit I have not found!)

Some of these tools, performance monitoring, patching, updating, logging, you will find in the quiver of the IT professional.. All tools that the Security Professional should be getting a feed from and understanding how to apply that feed to security.

Hopefully, in the not too distant future, we can provide the ability to make better sense of that data in real time to help better secure the virtual environment. You can start today with using that data to ensure that compliance and visibility requirements are met. If you want a silver bullet, that’s a good place to start!