Month: June 2007

Virtualization considered harmful?

First Gartner published a report in April arguing that virtualization– which the company had called a “mega trend” earlier– presents security risks. Now a more recent article in DarkReading suggests that it is not just Gartner consultants who share that opinion. In Security Fears Slow Virtualization, the website reports that about 50% of IT professionals who are either using VT today or considering adoption in the next 18 months believe it introduces new security challenges.

Among the respondents to the emedia survey, the chief security concerns were about virtualization patching and updates (32 percent), guest-to-guest attacks (27 percent), and the addition of new host software (22 percent).

This echoes the risk pointed out by the Gartner, which included the observations that network based intrusion detection/prevention systems do not have visibility into intra-VM traffic. (That limitation only applies when the VMs are on the same physical host.) Even stranger according to DarkReading, is the finding that the later an IT shop is considering implementation, the greater their security concerns. This could be interpreted in two ways. Either  there is insufficient information and the more people learn about VT– inevitably at the 11th hour when the project is going live– they become more comfortable. The second interpretation is a selection bias: the system administrator concerned about a technology is not going to deploy it anytime soon, so the answers are consistent with prioritization.

But backtracking for a minute, these articles seem to miss the bigger picture, namely that properly used, virtualization can be an important weapon for improved security. It provides compartmentalization between different components of a system running on the same hardware and does so with assurance greater than any other mechanism, including operating systems or constrained programming environments such as Java. For example, using a virtual machine to experiment with malware is standard practice among researchers. Many trees were killed over academic papers suggesting various designs that employ VMs to confine untrusted applications. Similarly, the paper When Virtual Is Harder Than Real pre-dated Gartner’s critique, pointing out the security challenges for virtualization in a much broader context than enterprise hardware consolidation. For example the authors noted that when VMs are used for mobility, integrity of the image becomes crucial because infection of a machine image is equivalent to a virus infecting a binary.  Bottom line is that few of these concerns are new. Virtualization can be (and has been) leveraged in ways that increase security assurance. Equally likely is a configuration that aggravates one or more existing problems such as patch management that get an added dimension in the context of VT.

cemp

Posting with Windows Live Writer

This is a first-attempt to post to WordPress blog using Windows Live Writer. Currently in beta, WLW allows using a native Windows application to publish to Spaces, WordPress (which is the platform underpinning RandomOracle), Blogger, LiveJournal, MoveableType and even SharePoint blogs for the enterprise-oriented.

Arguments in favor of posting this way? Rich-clients have more more polished UI, boast greater flexibility, and can function offline. But taking each of these in turn, the advantage disappears on closer look:

  • User interface– yes client UI is easier and more familiar than web UI but what is the complexity of the average blog post? It is neither War and Peace, nor a template letter with embedded macros getting mail-merged against a spreadsheet of names that calls for the 2000+ features in Word 2007. (Although familiar Office interface for editing tables is there for example.)
  • Similar arguments apply on the point of flexibility. Most of the flexibility gained by using a native client that has close integration with the OS is lost on the simplicity of the task.
  • Offline mode. This is probably the best argument to justify the heavyweight solution. Blogging UI has become more sophisticated– for example losing an entire post because of a connectivity issue or accidentally hitting “back button” is rarely an issue now. But when one considers blogging a type of interactive online communication, offline mode has limited value. Rarely does an article emerge with the author locked up in an office, ruminating on a subject out of his/her imagination. Posts are often responses to other blogs, track-backs, commentary on a recent article etc. and seeing all of that requires being online. So at best offline mode is useful when the author has all the relevant information collected (including hyperlinks) but has lost connectivity temporarily, for example during a flight. But for those temporary situations, there is Google Gears API released last month. It provides a generic offline capability for any web application, taking the wind out of the argument that smart-clients are necessary.

cemp