VirtSec Not A Market!? Fugghetaboutit!
Thanks to Alan Shimel and his pre-Blackhat Security Bloggers Network commentary, a bunch of interesting folks are commenting on the topic of virtualization security (VirtSec) which is the focus of my preso at Blackhat this year.
Mike Rothman did his part this morning by writing up a thought-provoking piece opining on the lack of a near-term market for VirtSec solutions:
So I’m not going to talk about technical stuff. Yet, I do feel compelled to draw the conclusion that despite the dangers, it doesn’t matter. All the folks that are trying to make VirtSec into a market are basically just pushing on a rope.
That’s right. Now matter how hard you push (or how many blog postings you write), you are not going to make VirtSec into a market for at least 2 years. And that is being pretty optimistic. So for all those VCs that are thinking they’ve jumped onto the next big security opportunity, I hope your partnership will allow you to be patient.
Again, it’s not because the risks of virtualization aren’t real. If guys like Hoff and Thomas say they are, then I tend to believe them. But Mr. Market doesn’t care what smart guys say. Mr. Market cares about budget cycles and priorities and political affiliations, and none of these lead me to believe that VirtSec revenues are going to accelerate anytime soon.
Firstly, almost all markets take a couple of years to fully develop and mature and VirtSec is no different. Nobody said that VirtSec will violate the laws of physics, but it’s also a very hot topic and consumers/adopters are recognizing that security is a piece of the puzzle that is missing.
In many cases this is because virtualization platform providers have simply marketed virtualization as being "as secure" or "more secure" than than their physical counterparts. This, combined with the rapid adoption of virtualization, has caused a knee jerk reactive reaction.
By the way, this is completely par for the course in our industry. If you act surprised, you deserve an Emmy 😉
Secondly, and most importantly to me, Mike did me a bit of a disservice by intimating that my pushing the issues regarding VirtSec are focused solely on the technical. Sadly, that’s so far off base from my "fair and balanced" perspective on the matter because along with the technical issues, I constantly drum home the following:
- The biggest challenge we have with virtualization in the short term (the next couple of years — the same timeframe Mike suggests VirtSec will take to percolate) is operational and organizational, and not technical.
You can find recent postings on that topic in posts such as Security Pros Say VirtSec Is An Operations Problem? and The Challenge of Virtualization Security: Organizational and Operational, NOT Technical
- Along with the organizational and operational issues comes the need for visibility and visualization of what is going on within these virtual environments.
You can find my latest entry on this (posted early today, actually) in my entry titled Visualization Through Virtualization…
"Nobody Puts Baby In the Corner"
Painting only one of the legs of the stool as my sole argument isn’t accurate and doesn’t portray what I have been talking about for some time — and agree with Mike about — that these challenges are more than one-dimensional.
The reality is that Mike is right — the budget, priority and politics will bracket VirtSec’s adoption, but only if you think of VirtSec as a technical problem.
Is VirtSec a market? My opinion: it’s an instantiation of technology, practice and operational adjustment brought forth as a derivative of a disruptive technology and prevailing market conditions.
Does that mean it’s a feature as opposed to a market? No. In my opinion, it’s an evolution of an existing market, rife with existing solutions and punctuated by emerging ones.
The next stop is how "security" will evolve from VirtSec to CloudSec…
/Hoff
Oh, poor Chris. Feeling unloved. I guess this is another example of the laws of unintended consequences. I was trying to point out that our beloved Survivability dude is at the forefront of the VirtSec curve, showing us about the real exposures and educating us about the things that we are not considering.
That, of course, didn't mean to say that our sensitive one (should I buy a case of Kleenex for you dude?) wasn't looking at it from other perspectives. Yet, I guess by not specifically saying how wonderful a market analyst our fair maiden is, it was intimated that I placed the fine Mr. Hoff in a box. Or a corner. Or whatever.
So let me be clear. If you are doing virtualization, Hoff is the first place to look and learn. Period. You can scratch and sniff while you are here as well.
Now Mr. Swayze, put your shirt back on.
Respectfully,
The parasitic analyst http://www.pragmaticcso.com http://blog.securityincite.com
It's not that Mike, it's just the only way I get to talk to you anymore…you don't call, you don't write 😉
But seriously, I didn't just want to get lumped into the sqwaking masses of folks who are yammering on only about technical elements of virtualization, isall…
I'm just not as diplomatic as you are 😉 BUahahahahahaha!
Lovin' you!
/Hoff
It's interesting. Whenever I blog about virtsec my views go up dramatically. The same with cloud computing recently. So I've figured out that my readers like the topic. I agree with you Mike that the market is small; but I think the technology is strategic to multiple categories. Visibility, enforcement, policy control, application delivery, etc are all important to virtualization and cloud computing; and virtsec might be the most significant barrier/opportunity for production virtualization. And Mike… to some extent we're ALL vendors!
G
I think part of the "problem" is that people are expecting virtualization vendors to magically take care of everything, so they don't have to spend money on virtualization security. This is a naive perspective, of course, and your (Hoff's) theme of dealing with the people/process side is right on.
After all, there is no end to the griping about Microsoft and security issues – and that is on well-established, mature platforms. On the virtualization side, how can people expect the vendors to solve all things security? But that seems to be the position a lot of the users I've spoken with are holding – "The vendor will solve this for me." Right. (think "OneCare").
Sometimes I wonder if other analysts, PR people, and vendors are the only ones reading these blogs!
@Steve I can assure you that at least with my blog, that the majority of folks reading my blog (based on empirical sampling, of course) are not PR, vendors and analysts…I get SO much email from end users it's mind-boggling…
It's interesting to me how many of them simply won't comment publicly, but I don't mind.
/Hoff
I can't help but think that Virtsec adoption will largely depend on how strong a Infosec risk management program an organization has in place. Server / Desktop virtualization threats and vulnerabilities are still in the "what-if" category of exposures for most operational teams, meaning if it hasn't happened to them it doesn't exist 🙂 If a security team cannot adequately quantify and / or express the risk of deploying a virtualized infrastructure then there is a good chance that no additional thought around whether security other than the whatever is offered "out-of-the-box" is appropriate.
If an organization has a strong Infosec risk management program then I believe they are more likely to justify the investment in additional Virtsec infrastructure. So vendors and analysts reading … maybe the adoption rate could be directly correlated to the number of organizations that have a good Infosec program , and how many of those do you think are out there? 😉
Sometimes I wonder if other analysts, PR people, and vendors are the only ones reading these blogs!
I think one of the big problems is defining what VirtSec is. Means a bunch of things to different people. My Usenix tutorials are aimed at educating technical people on the different aspects of security for Virtual environments to hopefully help them ask vendors to provide solutions in the right areas, and figure out what areas they already have the solutions in. It is an interesting space to say the least..
@Phil:
My "… tutorials are [also] aimed at educating technical people on the different aspects of security for Virtual environments to hopefully help them ask vendors to provide solutions in the right areas, and figure out what areas they already have the solutions in."
…I've been really happy presenting on this for the last 2 years or so — I do it from the premise of managing risk as well as threats and vulnerabilities, which is what I think you were suggesting…
I demonstrate the business value, technical problems, solution landscape (now -> 2 years) and futures, esp. disruptive innovation.
It is fun, indeed.
/Hoff
/Hoff
To condense it down to one quote:
"It's in the way that you use it." (Clapton)
Details are left as an exercise for Hoff to elucidate (with or without shirt).