The 3/21 Virtualization Security podcast featured @MrsYisWhy who is a recovering Unix engineer most recently assigned to the network security team of financial services provider. She also hosts a podcast called Healthy Paranoia, a security feed of Packet Pushers. I asked @MrsYisWhy to join the podcast as she is from the other side of the world from virtualization and cloud security folks and has quite a different view. The rent we saw being sewn up is now a vast divide as we jump feet first into Cloud deployments, virtualization business critical workloads, and generally using more and more virtualization and cloud in our daily lives.One of the guests jokingly stated that IT Security puts the “NO” in Innovation. This is a sad state of affairs and to be frank there are two sides to that coin. But ultimately, when there is a security issue, the security team is responsible. If you do not believe me, read your security policy documentation. You have read it lately, have you not? I do not mean the ongoing training that goes on in every organization, but have sat down and read it from front to back and asked questions about what you may not understand or need clarification? If you have not, I strongly urge you to do so. Because, unless that document has changed it may be a risky behavior for you to use those tools you find indispensable for every day work.
Many of the panelist on the virtualization security podcast often get asked “where do we put security?” Our answer is always to start with security within the architecture, do not wait until after the environment is deployed. Unfortunately, this is what we are seeing. As @MrsYisWhy pointed out, the security and networking teams treat the virtualization host as if it was a black box and not the hybrid compute, network, and storage device it is. Because they were not involved from Architecture, they are pushing back because they are ultimately responsible.
Security and network teams have quite a lot on their plate as it is, virtualization and cloud to them is fairly new and until now could be relegated to a dark corner of the data center in front of which they just place a firewall. But think how your environment has grown, it is now pervasive. There is a need for the security, network, and storage teams to be fully integrated as we work on virtualization and cloud technologies. It has been over 8 years since my first presentation on virtualization security and the same questions are being asked, the same concerns are being raised by the security and network teams.
Failure for security and network teams to learn more about virutalization and cloud security is a career limiting choice in today’s world. The virtualization and cloud senior administrators need to become facilitators between all these groups, read the security policy, educate, question, and bring the security and networking teams into where things are today. As a virtualization administrator are you such a facilitator? We need to once more close this growing divide, become whole again. We were getting there, now the fabric is split once more.
Oh, and to cover the lowest hanging fruit of virtualization and cloud security: have you protected your management network properly? Do you even know what is on it today?
Take a listen and let me know your thoughts.