Back

Virtualisation and security in the courtroom

The courtroom barely holds a multicolored crowd comprising the media, professionals, practitioners and onlookers with a vivid opinion about everything. All lured by the prospect of the heavy sentencing of an accused on whose signs of weakness they comment,  the greatest proof of her guilt. If there was not the certainty of a great show, they would take umbrage at the time wasted by the judicial system as much as at the severity of the charges. The civil part does not seem to provide as much glory from the victim, probably the weight of responsibilities with which he is burdened that sees him under everyone’s pitchforks by accusing him of not being able to rise to the occasion.

– Madame Virtualization, before presenting the facts that bring us here today, I was surprised to read your file: you seem to reoffend. I have right in front of me a Gartner report from 2010, the title of which alone will explain your relationship to the victim: “Addressing the Most Common Security Risks in Data Center Virtualization Projects”. In summary, by forsaking Madame Security, you put us all at risk!

– Your Honor, I was young. At 20 years old, we are still carefree. With youthful enthusiasm, we race about, we show off the finest clothes and we forget what is important.

– You are telling me – I quote “40 % of your projects have no security”. Some people talk about 2010, but this is huge.

– Yes, and without wishing to avoid the question, there are also explanations. Server virtualization operates with hypervisors that are based on physical servers. In some cases, we forget to call upon security simply because the physical servers are already protected. The mistake is not to see that this hypervisor surface has its own logic and thus contains its own weaknesses and vulnerabilities.

– Precisely, and since you talk about physical servers, I read in the same report that you have made it easier to combine apples and oranges. What a strange idea to have on a physical server a virtual machine that will handle the administration and another machine to handle security. It is a little bit as if I were to put Jack the Ripper and Mme Claude in the same cell, that may end badly…

– If I may, I do not enable such a combination; I allow it functionally. The difference is important and it is all a matter of how one wields the power that I have. That raises the question of training and the installation of suitable devices. Today, that has changed because I am everywhere, on networks, servers and applications and security teams are increasingly more skilled and suitable for my technology. Segmentation has adapted to operational reality and includes security. Likewise, new security devices have emerged to integrate me. For example, today in a virtual machine, we can control and even record everything that the user does. In a nutshell, if I can be criticized for not being interested in security for a few years, now it is good that security is interested in me. As fair as I know it can be a little dramatic,  it can be treated but at any rate, it is not punishable!

– You are right but only if you have emptied the victim’s pockets! Let us rightfully turn to the purpose of this hearing. You are accused by a study published this summer by Xerfi. I can read in it that virtualization and the migration towards the cloud of which you are the main enabling technology are doing very well and thereby capture a part of the budgets to the particular detriment of security. Misuse of funds…

– I provide my response in terms of productivity and this productivity is measured in terms of the ability to do more with the same resources or else by reducing costs. Beyond any doubt virtualization servers represent a cost reduction but equally so does the virtualization of applications and workstations. In this market segment, Gartner raises 40-70 % of savings made regarding the management of computer workstations. That is measured in terms of the rationalization of infrastructure, the ability to manage more important assets without increasing the size of teams or even reducing the number of user support staff. This is without referring to the choice of equipment for thin clients that can represent a cost reduction.

– If you make savings, should security budgets not still exist?

– Theoretically yes, but in the end virtualization tackles a problem of productivity, of cutting costs. In tight economic times, these are the priority objectives for a company. They are handled in advance. Nobody can argue with the importance of security but regarding certain costs, we always ask the question so much that we have not tackled the problem. Security is often handled retrospectively. The best thing is to use virtualization products whilst understanding the active elements of security, traceability, and controlling the end-users.

– The way that you make it sound, you will end up telling me that you are providing a service to security!

– Well, you do not seem convinced. A KPMG study at the end of August, carried out among 223 hospital centers in the United States, raises certain security risks that nowadays are at the very heart of these institutions. It seems to me that certain risks could be reduced through a virtualization approach. Let me take just one example: some people believe that health applications can be dated and are no longer always suitable for a modern environment that has significantly evolved. Making these applications virtual is an easy way to place them within a controlled, supervised, monitored and secure environment!

Documents on file:

Addressing the Most Common Security Risks in Data Center Virtualization Projects – Gartner – January 2010 – http://www.gartner.com/DisplayDocument?ref=clientFriendlyUrl&id=1288115

Le marché de la cybersécurité en France et dans le monde – Xerfi – July 2015 – http://www.xerfi.com/presentationetude/Le-marche-de-la-cybersecurite-en-France-et-dans-le-monde_5SAE24

HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities – KPMG – August 2015 – http://advisory.kpmg.us/content/dam/kpmg-advisory/PDFs/ManagementConsulting/2015/KPMG-2015-Cyber-Healthcare-Survey.pdf