Saturday, September 5, 2009

Virtualization security compliance guidelines - quite off base!

I don't know if it is a challenge with today's compliance rules or how folks perceive virtualization security, but the recent guidelines published by VMware and RSA seemed to have missed the mark. I don't want to add the word "completely", but I do think they are quite off base.

Not to say they dont have some good things in there, like platform hardening, network segmentation, change management, admin access control etc.. But this is something one would be doing for non-virtual environments as well - not much different here, just common sense.

A reason for missing the mark is the non-focus on virtualizaiton itself. Virtual environments are different. I think they need some fundamental rethinking of security, including focus on statelessness, shorter session-lifetimes and a true focus on data.

What fills me with a sense of incompleteness from these guidelines is the total non-focus on data! C'mon what are we trying to protect here? It's the data!! And nary a single mention?

No comments: