Q&A
Chris Hoff on Virtualization and Cloud Computing
Security expert Chris Hoff on how to approach virtualization security, why "the" cloud doesn't exist, and "the giant hamster wheel of pain". (Part of the What Happens Next security predictions series.)
By Bill Brenner, Senior Editor
November 11, 2008 — CSO — Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important - but rather because it is vital and needs to mature rapidly.
Here, Hoff explains how a lack of real understanding of virtualization makes it very difficult to secure the technology.
CSO: Where do you see the biggest virtualization security holes going into 2009?
Chris Hoff: Unfortunately, it remains a cloudy issue. When you look at how people think of virtualization and what it means, the definition of virtualization is either very narrow -- that it's about server consolidation, virtualizing your applications and operating systems and consolidating everything down to fewer physical boxes. Or, it's about any number of other elements -- client-side desktops, storage, networks, security. Depending on who you are and where you are, the definition of what's coming in the virtualization world means a lot of different things to a lot of different people. Then you add to the confusion with the concept of cloud computing, which is being pushed by Microsoft and a number of smaller, emerging companies. You're left scratching your head wondering what this means to you as a company. How does it impact your infrastructure? It's very confusing.
And this confusion feeds into the larger security dangers?
Sure. You really have to frame the virtualization discussion around three elements: The first is to talk about securing virtualization. Once you have multiple virtualization platforms, you have to look at what it does to your architecture, your people processes, and how to make sure it's all secure. Next, the discussion has to be about virtualizing security. The first was securing virtualization, the second is virtualizing security -- understanding the impact on people, process and architecture. How do I take what I already have today and use what works and what makes sense, and then understand what the security landscape looks like among the vendors I have and those I'm looking at. The third thing is ultimately security through virtualization, using virtualization to actually achieve better security. If you break the discussion into those three parts, you're better off. All the discussions need to be conducted through the concept of what the business is and where the highest risks are found. Unless you understand all these things, it's just a giant hamster wheel of pain.
virtualization
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
