Simon Crosby, CTO of Citrix/XenSource made a pretty bold statement yesterday that has some people agreeing with his position and others disagreeing. In an interview with searchsecurity.com he publicy stated that virtualization vendors are not competent to try and secure virtual environments and therefore looks to 3rd party security companies to solve these concerns.
Who are these 3rd party security companies? Well, there are a number of startup companies such as Montego Networks, Blue Lane, Catbird, Altor Networks as well as some of the big guys that are working on helping the virtualization vendors with these security concerns.
I tend to agree with Simon that the virtualization vendors don't currently have the expertise to deliver appropriate security controls for virtual environments BUT should they?
Well, Chris Hoff who blogs on the topic of virtualization security a lot seems to think that they should deliver security tools and and by not delivering solutions to secure the environment they are doing their customers a disservice.
"Further, I don't expect that the hypervisor should be the place in which all security functionality is delivered, but simply transferring the lack of design and architecture forethought from the hypervisor provider to the consumer by expecting someone else to clean up the mess is just, well, typical." Said Chris Hoff in his blog on this topic
I've spoken with a number of research analysts, venture capitalists and customers on this topic over the last several months and whenever I tell them what Montego Networks is off building they ALL seem to ask the same questions. One of those questions is: Why isn't VMWare or Citrix/Xensource doing this? My response has always been that "they have publicly stated they do not want to and plan on leveraging an eco-system of security vendors to provide this".
Well, Simon's public statement is right in line with what I've been saying all along. The other question I get when I describe how Montego has security built into a virtual switch we've created is; shouldn't this technology be in the VMWare Virtual Switch? And my response is "absolutely! But it isn't! so, someones got to do it."
So, I agree with Chris Hoff and I also agree with Simon Crosby. The virtualization vendors don't have the expertise BUT I feel they should provide SOME security tools to ensure the environment is safe.
There are some virtualization vendors that I have spoken with that are planning on using security as a differentiator and its my prediction that one of them will acquire security technology to do this. Its often easier to acquire vs. try and built it yourself given you don't currently have the expertise.
So who's problem is it to solve?? Virtualization Vendors or Security Vendors??
I see the finger pointing game starting!
CTO / Montego Networks