In theory, 2009 should be the year that virtualization security (VirtSec) takes off: Server virtualization has been widely deployed. VirtSec products are ready. The VirtSec vendor list has doubled since 2008. There’s just one catch: Enterprises aren’t currently planning to deploy the technology. Only 10% of the organizations that participate in our virtualization research have deployed VirtSec and almost 70% have no plans to do so. Why not? As Strother Martin said in the Movie Cool Hand Luke, “What we have here is a failure to communicate.”
Vendors have been positioning their solutions by focusing on potential virtualization vulnerabilities. Yet that’s not what enterprises care most about. In fact, the overwhelming response to the vendor vulnerability message is “so what’s the big deal?” Instead, what’s top of mind for enterprise IT practitioners is compliance, yet most VirtSec vendors aren’t articulating the ways in which their products can help enterprises address compliance concerns. What’s not top of mind – and should be - is that virtualization makes the strong perimeter defense obsolete.
