Virtual Security Needs People on the Front Line, Now
I’m going to start this morning with a question that I’ve been pondering lately: Should we work out all our security issues with virtualization before we start looking at cloud security? Would it take an army of security researches to work on platform and cloud threats in tandem? 
My gut response is “Yes, these are linear and we should address them in a very deliberate order.” A good bit of the cloud is based on virtualization technologies that we’re all using yet no one has thoroughly addressed the security threats associated with mass adoption of these platforms. The truth is we don’t have the luxury of time to ponder all the threat vectors of virtual platforms and deliberately control our roll-outs for security: these technologies are already live and, fortunately or unfortunately, supporting a vast number of our applications and data centers today. That shipped has sailed and it’s full of ESX and Hyper-V boxes.
Of course this scares the <you know what> out of me, and yes, it keeps me awake at night wondering when this is all going to collapse due to one silly little worm. How long before we see a virtual Sasser that has real business reproductions and sinks an entire ship?
In addition to the security concerns we have on virtual platforms, we also have different security concerns, arguably more frightening, with cloud computing. Like the three categories of virtual security I wrote about way back during RSA last year, cloud security falls into two primary categories in my head: securing the data in transit and securing access (yep, I categorize everything and make lists like you wouldn’t believe). These differ from the virtual platform threats in that cloud security is about process rather than code. We have to implement security checks and border patrol on the Cloud Highway: everything is inspected as it comes in and out and only certain workloads are allowed on the highway. We have to look inside every freight package that traverses the Highway, and that’s going to be one mighty endeavor.
I was having a conversation with a VDC reader last week and the topic of adoption vs risk came up: If the risk is so great (as I think it ultimately is) then why isn’t it getting more attention? I believe that no matter how great the risk, the rewards associated with implementing virtualization, and eventually moving outside the data center to the cloud, are too great to be stalled by theoreticals, and if you can’t see risk then there is no risk. The mobility, the consolidation, the new levels of management and granularity, all of these are so much more important to business process and IT agility than security threats that frankly don’t exist yet. Business moves ahead.
So what do we do? We address these security risks in parallel. We start making virtual and cloud security a more visible issue. We need more virtual security researchers — dare I say it, because I’m not a fan of the branding — more white hats out there focusing on both sides. We need PhDs looking at hypervisor and resource-based security and we need ethical hackers focusing on the cloud. We need new Cloud PenTesters.
We need giant posters in every college depicting Max Headroom (the only virtual icon I can think of) smiling, pointing, and saying “I Wa-wa-wa-wantttt You-ou-ou!” The virtual security army needs new recruits, and we need them now.
I’ll close with another question to ponder: Will these recruits even know who Max Headroom is? Were they even born yet? 
