The most accurate predictive letter in computing and telecommunications,
read by industry leaders worldwide.
| SNS Subscriber Edition |
Volume 10, Issue 33 |
Week of September 24, 2007 |
***SNS***
Special Letter:
Keys to the Virtualization Market:
Security and the Battle Over the Next Data
By Greg Ness
Publisher’s Note: Just a couple of seats left for the Second Annual SNS West Coast Dinner, September 27th, at the Intercontinental Mark Hopkins San Francisco Hotel.
Grab ’em before someone else reads this --
<http://www.tapsns.com/sanfrancisco/2007/registration.php>
Looking forward to seeing you all there.
_______
Greg Ness has been a member of SNS throughout a career that includes several platinum brand companies (see his bio below), including VISA (that was not a pun), Juniper Networks, and his current home, Blue Lane Technologies. This experience has allowed him to develop an intuition for What Matters when it comes to security vulnerabilities, and, in my humble opinion, in this Letter he has unearthed what may be the greatest security issue of the coming decade. Since many people have yet to focus on the problem – much less the solution – it seemed that putting this piece in front of our members would be a valuable service. While it is, at our request, written at a high (and somewhat technical) level, I think you’ll agree on the importance we are assigning to it here. – mra.
» Keys to the Virtualization Market: Security and the Battle Over the Next Data
Wall Street has voted on the promise of virtualization, sending VMware shares skyward in an ascent into the Googlesphere. With Microsoft and Citrix hovering, certainly the pressure on VMware at this point is on execution.
As Microsoft works on its virtualization platform to launch next year, it is clear that a battle is shaping up over who will capture the data-center operating system market. The stakes are sizable. Billions of dollars in market cap are likely to shift between three high-profile companies: VMware (VMW), Citrix (CTXS), and Microsoft (MSFT).
Wall Street has already rewarded VMware with a market cap past $30 billion, according to recent Yahoo reports:
VMware (VMW) vs. NASDAQ
That places VMware among a very small, select group of technology companies. With Microsoft and Citrix hovering, the pressure on VMware, at this point, is on execution. It has the buzz. It has the momo. It has the VM ecosystem.
Within days of VMware’s hot IPO, Citrix purchased rival virtualization solution provider XenSource for $500 million. XenSource expects 2007 revenue of about $1 million.
These two events suggest that Wall Street sees exceptional growth and profits in the race to become the new data-center operating system.
This kind of “gorillas in the early market mist” scenario harkens us back to the early days of the PC operating system wars and Apple’s losing battle for retail software shelf space. Brilliant design, ease of use, graphics, and marketing were simply not enough in those days to keep up with escalating Windows software choices. When it comes to operating systems, the one with the most toys usually wins. A big part of the promise of virtualization with VMware is the variety of appliances already available. That may explain at least some of Wall Street’s enthusiasm for VMW.
VMware Is in the Lead
In the battle to become the data-center operating system, VMware has the ecosystem, the customer base, the experience, and the product; and for now, it has the lead. That is a formidable combination. It is probably the most promising growth company in all of IT, well-positioned as information technology’s Next Big Thing. VMware has the rare potential to rewrite the rules for how software and hardware are deployed, managed, and secured in the enterprise data center.
It is a game-changer.
Of course, Novell and Microsoft have also battled in the mist; and Novell initially had the technology, user base, and eco-system, only to get distracted and then neutralized by a very powerful foe. So while it isn’t yet over, VMW has certainly caught the Street’s attention and has done an excellent job of waking up organizations and bankers to the promise of virtualization.
Yet there is yet a dark horse element in all of this that promises to keep things interesting: virtualization security. And by that I don’t mean hypervisor-specific security, although some pundits are still impatiently waiting for hypervisor attack outbreaks. In the short term, virtualization will have a much bigger impact on the presence and accessibility of existing, known software vulnerabilities and the capabilities of deployed security solutions and current processes to protect their critical applications and databases. It’s fairly early for hypervisor attacks, and the virtualization players are taking steps to harden their relatively lean and modern code.
New Risks, New Rewards, New Realities
As virtualization moves from the safe inner sanctum of test and development to production environments, security risks shift significantly. All that change and flexibility in devtest had minimal consequences for security, because the moving and state-shifting VMs were well-isolated from the public-facing network. Production environments represent sizable growth opportunities for virtualization players, sizable new rewards for organizations (including substantial power savings, IT responsiveness, and even real-estate cost reductions), yet they also pose sizable new realities for the world of network security.
In production environments, effortless movement and changes of VM states (snapshot, revert, online, offline, VMotion, etc.) generate extreme operational challenges for critical activities such as vulnerability scanning, patching, and the operation of static security solutions. Vulnerability scans – a critical tool for tracking software vulnerabilities – can become obsolete in seconds.
Network security solutions, which often require manual tuning for every new exploit and vulnerability (and changing IP address), will be incapable of keeping up with the movement and state shifts now made possible by virtualization. Security pros already bedazzled by polymorphic attacks (which mutate and can evade detection signatures) will now have to cope with exponential levels of change and complexity.
Bottom line: The unprecedented flexibility enabled by virtualization places dynamic demands on the most widely deployed static security solutions, in even small virtualized production infrastructures. As virtualization changes the game for how hardware and processing power are deployed, so it also changes the security game into an IT battle between the quick and the dead.
This new level of flexibility and change also means multiple VMs running multiple applications and operating systems on a single piece of hardware. You now have a complex community of VMs changing states, moving and interacting with one another, all on the same server. With VMotion they can even move across servers and join new VM cluster communities. When you take a close look at the nature of virtualization and production security, you quickly realize that complexity (at least from a security perspective) has just gone exponential and dynamic in a way that many have never anticipated.
VMware has anticipated the security impacts of the shift, and has carefully recruited eco-system players who can address these more dynamic environments. While most virtualization pros do not understand the principals of network security, and most network security pros are just beginning to grasp the significance of virtualization, VMware has taken several strategic steps in security and perhaps further distanced itself from its competitors.
Why Security Is Especially Important Now
When it comes to aggressive growth into the data center, all the tricks, flips, and tools that make software more nimble and powerful (the eco-system mentioned above that gives VMware a competitive advantage) will not matter unless the infrastructure can be effectively secured from attack. Yet – as I’ve suggested – many of the leading network static security vendors have been caught flat-footed by virtualization and are either unprepared, un-motivated, or both.
Some vendors are trying to convert ASIC-driven IPS solutions onto commodity processors. (ASICS are custom processors that boost the power of hardware for specialized tasks, such as pattern-matching network traffic to suspicious, known, hacker traffic signatures.) As a result, their software-only solution will likely tie up sizable chunks of server/blade processing power and introduce unacceptable levels of latency.
That game promises to get even more complicated and resource-consuming as hackers continue to shift to security process-consuming mutating attacks; and as data centers move to fabrics of blade servers, crushing the value proposition of many dedicated ASIC-based network appliances.
The question for the data-center operators then becomes: just how many of them will be returning to the ASIC security world with bigger boxes, bigger-signature libraries, and the promise of constant tuning and traffic challenges and complexities, while the rest of their infrastructure (and competitors’ infrastructures) becomes more powerful, more flexible and more efficient?
Similarly, how many ASIC-based security players (and their hardware-centric channel partners) are likewise taking a hard look at the pure software model of virtualization (and much lower margins) and seriously contemplating “serving up their children and their channel allies” to deliver a core technology that in its current state is likely unfit for commoditized processing? That’s an Innovator’s Dilemma that might make even Clay Christensen cringe.
That’s why recent articles in InformationWeek and Network Computing online are either particularly interesting or particularly disturbing, depending on the logo on the sign at your headquarters. The IT press is abuzz with excellent pieces that are digging up the security challenges and opportunities inherent in virtualization and shocking the traditional old guard.
Federal Computer Week weighed in last week, joining a drumbeat across IT publications that kicked off this spring when Gartner and Nemertes published papers warning about the risks and exposures of virtualization in production environments. Andi Mann at EMA has also been talking about the challenges in InfoWorld and other publications.
Security expert and tech visionary Chris Hoff has been blogging about the topic as well, with some of the best insight available anywhere. His in-the-trenches perspectives on internal company dynamics and vendor posturing are a refreshing contrast to some of the vendor puffery and head fakes. His blog is probably one of the best on the topic, and worth reading.
VMware Is Taking Steps in the Right Direction
The good news is that VMware gets it. It bought Determina several weeks ago, and acquired technology rights that can help it further harden its hypervisor. So in a single fell swoop, it’s helped to enhance its already robust security eco-system and hardened its hypervisor to create a yet wider gap between itself and its rivals.
The core issue for the proliferation of virtualization into production environments is still the double-edged sword of change and its impact on the status quo security solutions that were never architected to defend such fluid environments. Automation of patching helps close otherwise wide-open vulnerability windows , but with virtualization, those windows can open by accident or by intent in seconds.
We’re back to the signature tuning challenge: Do you press the patch button every hour, every 10 minutes, every 30 seconds? Do you set vulnerability scanners on auto-pilot and produce minute-by-minute reports, 24/7? Do you dedicate IT resources to constant tuning? Not unless you’re planning to set up your team as an outsourcing case study.
That’s why I blogged earlier at Always On that virtualization is security’s wake-up call. Beyond setting the stage for the new data center of blade servers and commoditized processors, it is forcing failing security solutions already out-of-breath keeping up with mutating attacks into new hardware limitations: a kind of ongoing, excruciating climate change that will force them to adapt or join the ranks of technologies that simply couldn’t keep up.
Virtualization vendors are not in the clear either. If virtualization platforms do not tackle the security issues head-on with intelligent, flexible solutions that can operate on hypervisors with minimal footprints and latency, they will not win over the data center. Security is too important to production environments and widely deployed solutions incapable of proper protection.
The challenge for VMware, however, is less about security and more about education. It has a security ecosystem.
With proper security education, the widespread adoption of virtualization could play into VMware’s hands and give its formidable competitors additional and substantial barriers to entry. Without education, security chats and excruciating politics among teams on a deployment-by-deployment basis across the marketplace could slow things down enough for competitor inroads.
One of the key challenges for virtualization of the data center is its impact on IT teams not accustomed to working together or sharing responsibilities. If VMware can accelerate the team process and educate both security and ops teams, it promises to do something that both Apple and Novell couldn’t: deliver a crushing blow to a rival with a history of entering lucrative markets and then owning them.
The good news is that virtualization promises enhanced security over complex, ASIC-driven physical infrastructures now passing traffic through complicated weaves of appliances stretched between servers and clients.
The bad news is that if the security and ops pros deploying virtualization do not grasp the nature of the impacts of virtualization on their deployed security systems, they will face unprecedented levels of vulnerability to attacks already known and in use by most of the hacker community.
These aren’t hypervisor attacks, but attacks against known vulnerabilities in software running on hypervisors. VM vulnerabilities already exist. Unpatched VMs mean unprotected VMs.
Security (and not the management appliance ecosystem) promises to be a critical differentiator in the virtualization of production environments, unlike the devtest environments where virtualization flourished. Again, VMware is in the lead with the best security eco-system across the virtualization platform players. Yet we’ve seen similar leads evaporate quickly with a single misstep. And Microsoft and Citrix both recognize the significance of virtualization and the opportunity for substantial growth.
From this viewpoint, it is likely that security will be one of the key drivers of any virtualization-related shift in market cap among these three highly successful companies, as well as a key driver in the success of virtualization initiatives. The sooner organizations understand the importance of virtualization security, the better for all of us… especially VMware.
[Disclaimer: This letter represents the personal views of the author, and in no way, real or implied, reflects the opinions of former or existing employers.]
About Greg Ness
Greg Ness is vice president of Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld “Technology of the Year” for security, “Best of Interop 2007” in security, and the AO “100 Top Private Company” award for 2006 and 2007. Blue Lane is also a 2007 “Best of VMworld” finalist in data protection.
Greg has been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks, and ShoreTel. He has also been an Always On blogger/columnist since 2003 on topics related to application delivery and network security. He has a BA from Reed College and an MA from The University of Texas at Austin.
Your comments are always welcome.
Sincerely,
Mark R. Anderson
CEO
Strategic News Service LLC Tel. 360-378-3431
P.O. Box 1969 Fax. 360-378-7041
Friday Harbor, WA 98250 USA Email: sns@tapsns.com
» How to Subscribe
(All rates $USD)
If you are not a subscriber, the prior Strategic News Service item has been sent to you for a one-month trial. If you would like a one-year subscription to SNS, the current rate is $595, which includes approximately 48 issues per year, plus special industry alerts and related materials; two years are $995. Premium Subscriptions, which include passworded access to additional materials on the SNS website, are $895 per year. Subscriptions can be purchased, upgraded, or renewed at our secure website, at: www.stratnews.com. Conversion of your trial to full subscription will lead to 13 months of SNS, no matter when you convert.
VOLUME CORPORATE SUBSCRIPTION RATES: Below half price, upon registration with SNS for a minimum of 10 subscriptions at $2950. SMALL COMPANY (10 employees or fewer) SITE LICENSE: $1495. TEACHERS’ GROUP RATE (five teachers): $295.
STUDENT and INDEPENDENT JOURNALIST RATE: $295 per year.
This service is intended for strategic thinkers who depend upon business technology planning. The SNS charter is to provide information about critical computer and telecommunications issues, trends and events not available to managers through the press. Re-purposing of this material is encouraged, with proper attribution.
Email sent to SNS may be reprinted, unless you indicate that it is not to be.
» May I Share This Newsletter?
If you are aware of others who would like to receive this service, please forward this message to them, with a cc: to Mark Anderson at sns@stratnews.com; they will automatically receive a free one-month pilot subscription.
ANY OTHER UNAUTHORIZED REDISTRIBUTION IS A VIOLATION OF COPYRIGHT LAW.
» About the Strategic News Service
SNS is the most accurate predictive letter covering the computer and telecom industries. It is personally read by the top managers at companies such as Intel, Microsoft, Dell, HP, Cisco, Sun, Google, Yahoo!, Ericsson, Telstra, and China Mobile, as well as by leading financial analysts at the world’s top investment banks and venture capital funds, including Goldman Sachs, Merrill Lynch, Kleiner Perkins, Venrock, Warburg Pincus, and 3i. It is regularly quoted in top industry publications such as BusinessWeek, WIRED, Barron’s, Fortune, PC Magazine, ZDNet, Business 2.0, the Financial Times, the New York Times, the Wall St. Journal, and elsewhere.
» About the Publisher
Mark Anderson is CEO of the Strategic News Service™. He is the founder of two software companies and of the Washington Software Alliance Investors’ Forum, Washington’s premier software investment conference; and has participated in the launch of many software startups. He regularly appears on the CNN World News, CNBC and CNBC Europe, Reuters TV, the BBC, Wall Street Review/KSDO, and National Public Radio programs. He is a member of the Merrill Lynch Technology Advisory Board, and is an advisor and/or investor in Ignition Partners, Mohr Davidow Ventures, Voyager Capital, and others.
Mark serves as chair of the Future in Review Conferences, SNS Project Inkwell, The Foresight Foundation, and Orca Relief Citizens’ Alliance.
Disclosure: Mark Anderson is a portfolio manager of a hedge fund. His fund often buys and sells securities that are the subject of his columns, both before and after the columns are published, and the position that his fund takes may change at any time. Under no circumstances does the information in this newsletter represent a recommendation to buy or sell stocks.
» SNS Website Links
For additional predictions and information, please visit:
The SNS website: www.stratnews.com
SNS Blog: www.tapsns.com/blog
SNS Media Page: www.tapsns.com/media.php
SNS Future in Review (FiRe) Conference website: www.futureinreview.com
SNS Members’ Gallery: www.tapsns.com/gallery.php
SNS Project Inkwell: www.projectinkwell.com
Orca Relief Citizens’ Alliance (www.orcarelief.org), a 501(c)(3) non-profit effort to study and reduce Orca mortality rates, supported largely by technology workers. Contributions may be sent to: ORCA, Box 1969, Friday Harbor, Washington 98250.
» Where’s Mark?
On September 27th, Mark will host the second annual SNS West Coast Dinner at the Intercontinental Mark Hopkins San Francisco. To register, go to http://www.tapsns.com/sanfrancisco/2007/ . On September 28th, he’ll be meeting with HP CEO Mark Hurd. On October 4th, he will be hosting David Skinner and his new film “Outsourced” for an Orca Relief (www.orcarelief.org) benefit in Friday Harbor, Washington. Call 360-378- 1023 for tickets, and a chance to meet the Producer. On December 12th, he will be hosting the fourth annual SNS New York Dinner, at the Waldorf=Astoria Hotel.
In between times, he’ll be driving down the Washington, Oregon, and Northern California coasts, hopefully with the top down, on his way to a fantastic, all-night discussion on technology opportunities. Under the full moon.
Copyright © 2007, Strategic News Service LLC.
“Strategic News Service,” “SNS,” “Future in Review,” “FiRe,” “SNS Ahead of the Curve,” and “SNS Project Inkwell” are all registered service marks of Strategic News Service LLC.
ISSN 1093-8494
