William Jackson | System security: Who's responsible?
- By William Jackson
- Jun 05, 2008
AS INFORMATION TECHNOLOGY systems become increasingly sophisticated and interactive, they create unexpected ecosystems that are more complex than the sum of their parts. Applications ride on operating systems that are networked with servers, and so on until all operate in an environment no one has designed.
The result is a useful new cyberworld ' but one with inadequate security because there is no one to take responsibility for it. It is easy to say that security is everyone's job, but in the end that usually means it's no one's job. We have chief security officers, but they operate in their own spheres with clearly defined limits. Software vendors are not security companies, and security vendors will protect an application or operating system but not fix it.
The problem was illustrated in a recent firefight ' blogs at 20 paces ' between Simon Crosby, chief technology officer at Citrix Systems, and Christofer Hoff, a chief security architect at Unisys, over responsibility for security in a virtualized environment.
Citrix is a commercial vendor of the open-source Xen hypervisor, which allows multiple operating systems to run separately as guests on a host server. Xen itself is secure, which is all you can ask of it, Crosby said.
'I think my job is to be maniacally focused on my little piece of the pie,' he said. 'It is not my job to clean up the legacy of horrible old software I have to run as a guest.' That job is the forte of third-party security vendors who can use interfaces in the hypervisor to apply their expertise in a virtual environment.
Hoff clearly is frustrated by such compartmentalized thinking, which he said ignores the realities of deploying systems.
'Virtualization is more than just the hypervisor,' he wrote in his Rational Survivability blog. 'As a major layer in the infrastructure, there's more required than to just secure the hypervisor and leave the remaining mess to someone else to solve. I'm not suggesting that virtualization platform providers should secure the actual guest operating systems, but they should enable an easier and more effective way of doing so when virtualized.'
He went on to say that 'the virtualization platform providers should ensure the security'of those guests hosted by the virtualization platform.'
So, should we each focus on our own piece of the pie, or is it necessary to take a broader view that is admittedly more complex and difficult to implement? Ultimately, responsibility for security rests with the owner of the application, operating system or network system. How the owner chooses to fulfill that responsibility will determine where security lies. If the onus is placed on the original vendor ' as government contracts are beginning to require ' it will become the vendor's job. If it is contracted out to integrators and third-party providers, the specialists will do it.
But Crosby is right when he said that, like it or not, we will remain dependent on third-party security vendors to ensure our safety as long as imperfect elements are being plugged together. That will be the case for the foreseeable future, at least.