The Four Horsemen

The Network Is the Compu...oh, crap.  Never mind, it's broken. (Death)

Nearly made me snort coffee from my nose when I read this line. That is brilliant.  It is a long post, but worth the time to read.  It will take imagery like this for people to understand the fundamental changes offered by Virtualization ... or as I have heard many people  refer to it, the Virtualization ‘feature’ ... and subsequently why approaches to security need to be re-considered.  We may be marginalizing and commoditizing IT resources like processing, but we are breaking a lot of existing assumptions along the way.  It is going to be harder to determine where your data is, who has access, and how it is being used.  If you want an example set of why an Information Centric data security model is a good idea, this is it.

Virtualization & Power Consumption

Can energy consumption drive application improvements?

The first keynote session at the InfoWorld Virtualization Executive Forum was by David Reilly of Credit Suisse. Fascinating discussion with dozens of interesting points raised, but the topic I was most interested in was Mr. Reilly’s response to an audience question “Do you monitor power consumption and at what level? His response was that they do; at the box, cabinet and room level. He said he can even judge applications on how much power they use, and compare them head to head.

 

I think it is great that Green Technology and power savings is driving some IT decision making, and Virtualization helps with our ability to measure consumption. Not just provisioning memory and processor, but power as well. Various changes make this worth spending time to consider: Power has gotten significantly more expensive. Global Warming is no longer considered a kooky left wing hoax, but a real environmental issue. Heat in the data center continues to climb. There are signs that the nearly linear progression of

Moore

’s law may be coming to an end. All things told, we need to continue to look for efficiency and cost savings where we can, and I think it is great the companies like Credit Suisse is monitoring power usage, especially if they make some of their application purchase decisions based upon this metric!

 

I started my career in Operating System development. At that time memory and processing power were rare resources that we had to use efficiently. We had to make clever uses of things like ‘Overlay’ files to optimize the use of memory, and we spent considerable time reviewing the merits of sort algorithms, queuing theory, hash functions, caching, call backs and every other operation to improve resource usage. Today we see Applications and Operating Systems that are developed seemingly without regard for efficiency and offer shockingly poor performance even with wanton consumption of resources. Installing services into memory when they are not needed, applications grabbing huge chunks of memory that will never be used, OS’es that are not judged by how fast and efficiently they provide resources, but how many features have been packed into them. Sure, it’s worse in consumer software than commercial, but still, I could swear it’s like the vendors are looking for ways to waste processor cycles and memory.

 

If we can measure resource consumption at this level – memory, processor and power – and alter corporate buying decisions based upon this, we provided a real emphasis for software vendors to look at efficiency of resource usage. Virtualization not only allows for inspection and comparisons, it really demands attention to general resource consumption metrics. If an application not only has to meet certain feature requirements, but resource usage requirements as well, IT organizations have yet another metric to judge software quality and cost. And a way to push back on some of these horrid programming practices by a huge number of software & tool vendors. The direct and indirect benefits could be considerable savings.

 

Now if we had security metrics that were this straight forward.

Re: Virtualization & Power Consumption  

 

            Comment from Christine on February 9, 2008 12:23:18 PM PST  

 

   

Great idea. But the market isn't ready for this.  Don't get me wrong - Green is good. But Green is also a theme and a very hip one at that. Just take a look at the money being poured into all manners of Green (and not so green but masked as green) investments.  Reminscent of 1999 / 1999.

Application vendors need to make better quality and efficient code. Vista and Office 2007 is a classic example. Was it really necessary to redo the whole Office UI so that it takes 5 minutes to find the 'align objects' function??  Where app vendors struggle is on understanding what the business problem is they are trying to solve.  The 'every function but the kitchen sink' comes from trying to be all things to all people in the quest to expand market share. Most users will tell you that enterprise apps do, at best, 60% of what they need. The other 40% is inhouse code, 3rd party software with overlap capabilites or good ole' human intervention. 

Until app vendors get their solutions 'on the mark' code bloat and it's associated power hogging will not abate. Beside what would all those hardware and virtualization vendor sell?

 

The Future of Virtualization & Security

Hoff Rocks

Christopher Hoff gave an excellent presentation yesterday in

San Francisco

at the InfoWorld Virtualization ‘Executive Forum’. I am glad he badgered InfoWorld, and in turn them giving him a presentation slot because he provided one the of highlights of the show. Even if you are not interested in security, I would pick up the slide deck when it becomes available. This is the clearest vision of the future of Virtualization I have seen, weaving together the different ways the large and mid sized vendors are positioning their products to gain market share, he makes a very compelling case as to what we can expect in the coming 2-5 years.

 

A couple points I found most interesting was the uncertainty of the attack vectors and appropriateness of today’s solution set.  He has covered this on his Blog to one degree or another, but the concepts coalesce nicely in the presentation, and I wanted to mention here for those who are considering Virtualization in and around their databases.  And I am paraphrasing …

 

Most of the attacks on Virtualized environments are hypothesis or lab work, with few to none being ‘in the wild’.  This makes it hard for companies to digest why exactly they need to worry about security in and around hyper-visors over and above what they have today.  There is no tangible understanding why existing security tools are insufficient to meet the challenges as they have not fully examined security from this new perspective.  Hoff’s presentation really hammers home how Virtualization in all likelihood does not lessen the number of threats, but provided new many new ones to worry about. 

 

The other point is the difficulty believing security vendors with their Virutalization security products because they are probably providing exactly what they provided before … just in the virtual environment.  If this is a failure to account for the variations in the environment, or a marketing frenzy to get into a nascent market, changes will need to be made in order to be effective.  Examples?   If we Virtualize the network layer, does your IDS and NAC continue to function?  How do we discover services, applications and machines to assess and patch in this environment? We can spawn identical Virtual copies of an application nearly at will, so how do we maintain trust in SOA or distributed database environment? How do you detect a rogue clone? How do you keep your database from being v-Motioned to a non-trusted platform?  Depending upon the platform we use, and what gets virtualized, the security tools we use today may or may not work.

Our assumptions on trust and security will need to be re-examined.    How we deploy monitoring, auditing and assessment  solutions will need to change as data collection, policy deployment, enforcement and remediation become more complex.  A very interesting set of challenges in the future. 

 

Anyway, the slide deck it is worthwhile reading. And if it’s not too risqué, I hear InfoWorld may even post his “Interpretive Security Dance" video from the post forum cocktail party. Who knew ‘Safety Dance’ had so much hidden meaning?