Wouldn't it be great if we could buy an application and not have to worry about whether it was designed to run on Windows XP, Windows Vista, MAC OS X or some flavor of linux?

How about when you buy a personal computer you don't have to make a decison on whether it should come with Windows XP, Windows Vista, MAC OS X (don't you wish that was a choice today) or some flavor of linux - or nothing and you figure it out later?

What if every computer you bought came with a smal, highly efficient operating system that basically only acted similar to a virtual machine hypervisor, managing the allocation of resources to virtual machines (or applications). And by the way it was built into the "platform" supplied by the chip vendor and OEM's only aggregated components and added value where it counts - tools to better manage the virtual enviornments, as a peer process not as a "host" operating system.

This is the world that I would like to see evolve over the next couple of years (okay maybe 5).

Applications are compiled with the operating system extensions (purchased from today or tomorrow's operating system vendors) and sold as one package that runs on top of the thin/efficient operating system mentioned above. This way we as the consumers can worry about selecting applications and functionality and get out of the business of worrying about which operating system to buy - or worrying about which operating sytem the application will run on. We just buy the application!!! What a concept!!!

A nice extension to this would be to allow the ability to still have a more traditional "container" of applications for secure, managed interaction between applications and for providing a policy managed environment. But the applications should still be the same apps I buy to run independently - So how about an install option - standalone or in a "container" or ???

Now that would be cool.

With the old year grinding to a close and opportunities of a new year opening before us, it is a good time to take a moment and make some new year's information security resolutions. Some are good holdovers from last year and a few are new to the list. I think all are good practices to promote security and hopefully will keep a smile on my face throughout the year (no matter what cyber meltdown may occur).

1. Vigilance. Maintaining effective legacy security programs is critical. Loss of such capabilities opens the door to old, known, and well refined attacks
2. Embrace/Beware of disruptive technology. Double edged bleeding technology can be a blessing and a curse. It can reduce costs, increase efficiency, open markets, and change your way of thinking, but is also like walking into a darkened room in a horror movie. You never know what may jump out at you and in hindsight you may think "well that was painful". On the hot-list:
   • Virtualization technology in all its glory
   • Smart-phones and other PC OS/application based portable devices
   • Social media sites, tools, and accompanying behaviors
3. Careful with my PII. Our Personally Identifiable Information (PII) is more important than anyone can measure. I will handle mine with care, insure others do the same, and simply say ‘no' more often than not, when asked.
4. Don't be a fish. Just say no to phishing and spam. Filters are wonderful but a few will creep through. If it looks suspicious, it probably is. Don't be shy, even with the weird stuff sent by people you trust. Just pick up the phone and call them: "Hey Ralph, did you send me this executable attachment via email?" Is it not that tough.
5. Give an effort for disaster preparedness. Regular backups and encryption are my friends. Nothing huge mind you, but at least apply where it makes sense
6. Choose not to be a victim and let common sense prevail. Two types of victims exist: those with something of value, and those who are easy targets. Therefore, don't be an easy target and protect your valuables
7. Talk and share security. We are stronger as a team striving for security, than alone. The bad guys are working together; it is about time we do the same. Talk about security and share what works or doesn't. Don't be shy.

Not rocket science, but most of the great ideas rarely are. Feel free to chime in and be heard. What are your security resolutions for 2008?

As the industry moves towards the next big leap, virtualization, I can't help wondering will this be a security professionals dream or nightmare?

Disruptive technology:
I generalize virtualization as the necessary separation and compartmentalization of resources so things can be moved, consolidated, and managed better, across a wide swath of hardware platforms, users, and networks. It is a "disruptive technology" (not a bad term) which represents a fundamental change in how computer systems will operate, communicate, and be designed. It is a leap forward and represents greater agility, more functionality, and lower costs. The interesting security question is, what are we leaping into?

In the virtualization world you can name your poison....er, pleasure: Server, Client, Hardware, Operating System, Software, even data portability virtualization exists or is in development. I am not going to differentiate or explain the differences. Instead I am taking the strategic point of view. All these areas will be developed and instituted in some fashion. The details are far from being worked out. From a security perspective, it is the big picture that is important at the moment.

History has shown that the attackers have the advantage of ‘initiative' in technology, over the defenders. Basically, the attackers innovate and security then responds. But will this hold true for virtualization?

The Security Dream:
Virtualization holds the promise of security paradise by making systems more robust, hardened, simpler, and enabling new capabilities to make security more effective and cost efficient.

• Virtualization allows a much greater consolidation of hardware resources. Multiple OS, applications, and databases on a platform equate to less platforms to protect. Consolidation and portability for efficiency sake, may result in less network traffic to monitor, scan, and secure
• Virtualization allows for effective security sandboxes to be employed for un-trusted or questionable applications and processes
• Segregation of resources for applications, processes, OS's, and users means a compromise in one will be easier to contain due to compartmentalization. This makes it tougher for an attacker to break a weak link and begin to elevate their control over a system
• Application restoration is a snap and full systems restoration becomes easier when a client does bite-the-dust
• Systems and applications can be designed to operate with multiple environments of trust: very secure, secure, marginally secure, and not-so-trusting secure, all on one box (or the informal version: I trust you with my sister secure, I trust you with my wallet secure, I trust you as far as I can throw you secure, and I trust you will steal from me the first chance you get secure)
• Virtualization will drive standardization of application design and data types making them easier to secure
• Failover systems become less painful to design and implement at many different levels
• System upgrades become seamless as jobs can be moved temporarily to other systems and then returned without disruption
• Virtualization and other supporting technologies will drive advances in real-time security state monitoring, potentially across the enterprise and deeply into applications, OS's, data, and users
• My personal favorite is that eventually we will have the ability to monitor for suspicious activities from a trusted person, versus just looking at applications or data. Think insider threats. This will be the first significant advance in a long time for this problem

The Security Nightmare:
Virtualization may be the very bane of security for decades to come by circumventing every type of security technology and enabling new capabilities for attackers to do real damage, thus forcing an entire redesign and reinvestment of security.

• At the highest level, virtualization offers pure stealth to an attacker. Currently, malware must hide, lay dormant, or be very quiet in order not to be detected. This limits what the bad guys can do. They must trade capabilities and impact for stealth. Not so with virtualization. Malware could have the best of both worlds
• Total Control - it's mine, you can't find me, and if you do, you can't make me leave! I can see everything, I can control everything, and I can do anything! Mine, mine, mine! Control can extend well beyond a single system and permeate across the virtual domains, with the persistence requiring an entire group of machines be burned down and rebuilt with great care
• Now for the sledgehammer effect. Virtualization technology will undermine every current type of security control (the short list):
  • Anti-Virus, HIPS/HIDS, and Host Firewalls - Cannot detect or monitor an attackers activities in a higher plane of control, making them ineffective while still giving the illusion of security
  • Patching - Controlling virtual instances, more importantly creating false ones, will have patches installed on fake instances, leaving the real one vulnerable and under the intruders control
  • Security scanning, used to check the system's state-of-security, can be fooled. Reporting back that all is fine when it is not
  • Encryption - At the right level, an attacker will be able to see before encryption, after decryption, and have your keys to decrypt at their whim
  • Security monitoring devices and agents can also be deceived, by showing them what they expect to see and nothing else
  • User Privacy will be compromised at many different levels and open the risks of aggregation across multiple data sources
  • Adware/Spam filters can be subverted
  • Secure channels can be monitored by attackers and setup between compromised systems
  • Security forensics may become a nightmare for many years due to the complexities inherent to virtualization and the fact that a high level compromise invalidates the integrity of logs
  • Even NIDS/NIPS & Network Firewalls become less effective. Hardware consolidation translates to less traffic on the backbone network and more in-between systems on a platform and within a local subnet. This gives less information to these network monitoring devices and lowers the chances they will detect malicious activity
• The very same ‘sandbox' which can be used to isolate risky activities can be employed against security applications and processes, limiting their ability to control and protect the system
• Virtualization adds more complexity and therefore risking more confusion when it comes to system management. Especially for patching and system scanning. Keeping track of who owns what is bad enough today. But at least if you track down a server owner, you can normally have a quick decision on when to patch and reboot. In the future, the server owner, may not know who owns the virtual instances running on their machine. So how does one coordinate downtime, patching, or other change control issues? These delays may extend the window of vulnerability giving attackers more options and targets
• Less systems but more diversity and ambiguity gives places to hide and more opportunity to find a vulnerability
• Virtualization portability will drive the standardization of application design and data types, making them predictable and easier to locate and compromise
• Very complex designs which continually change are extremely difficult to restore and recover. Additionally, cascading failures can occur bringing down multiple systems whereas in a stovepipe environment they would be more insulated

Take the High Ground - Sun Tsu "Art of War"
The ultimate sweet spot for any computer attacker is to gain the deepest level of control, which in turn can control all other virtual instances. This is the proverbial high ground which can see and control everything, yet not be seen if it does not want to. Attackers are already making great advances and shown the initial ability to take the high ground. Defenders are quick on their heals, finding ways of detecting and defending this vital area.

Who can make the final determination in this battle? Intel and other hardware designers, of course! You can't get any deeper than the hardware. Imbedded security controls will be the key to victory. But here is the twist. You may have assumed I meant the victory to the glorious and honorable path of security. You are wrong. It is just the key to victory, period. Security and administrative controls are just functions with great power. Whoever controls those functions will be the victor.

Sometimes, the computer industry itself is its own worst enemy. Infighting on standards, rushing products to market, designing security as bolt-on afterthoughts, ill designed security solutions, etc may cause temporary self destruction. Even when a security function is developed, there is no guarantee it will be embraced by the industry or the consumer. It will take a small army of very smart people across the hardware, OS, application, and security services to design robust controls which present a value proposition necessary for widespread adoption.

In the end, the age old battle will continue to rage on between the attackers and defenders. Virtualization is simply the next battlefield. A new landscape to which these players will innovate, respond, jockey for position, and struggle for dominance. The rules and possibilities have yet to be defined. All we know about computer security will be thrown on its side and everything we do now will need to be rebuilt from the ground up. Virtualization is a brave new world, sure to bring both dreams and nightmares.

As this is my first post in this forum, let me start by introducing myself. My name is John Dunlop and I am an IT Enterprise Service Architect responsible for Intel's IT client solution architecture. I've had this role for less than a year, having previously been responsible for some of our identity & access management services, as well as other backend core services. What an exciting time to have made the shift to the client side of IT! To say that there have been considerable and accelerating advancements in client usage models and application delivery models is truly an understatement.

Historically the most interesting and divisive discussions of client architecture have revolved around the debate over thin versus thick clients. Both models have their advantages and disadvantages, of course, but ultimately (as all IT architects know) it's all about enabling the business to have their cake and eat it too. We need to provide a client that is robust enough to survive network connectivity or performance issues, enable an increasingly mobile workforce, support data center consolidation, and satisfy the consumerization and personalization trends that are forcing IT to make more and more compromises to keep customers happy. On the other hand, competitive pressures drive IT budgets ever lower, keeping manageability center stage for providing TCO reduction and making IT managers crave more and more control over the client. Neither thin nor thick clients ultimately deliver on all of their promises, partly because the world has never been that black and white and one size rarely fits all.

Enter virtualization. Now, some will point out that we've had "presentation layer" virtualization solutions for decades, but again, this shifts us squarely into the realm of thin clients which simply don't serve our mobility needs and shift costs to the infrastructure. The benefits of true, on-board virtualization capabilities were immediately apparent on the server, but client virtualization wasn't taken seriously (as scalable) by many until fairly recently. Sure, you could run a guest OS on a client host OS for training purposes, or to do some specific task that wasn't supported on the host OS, but there was substantial overhead from a performance standpoint, and let's face it, the average user was never going to be satisfied with all the complexity and effort of moving between host and guest. Ever notice how it always seemed to be IT people using a virtualized guest OS for some constructive end? Improvements in technology (e.g. dual core, Intel VT) have meant substantial mitigation of the performance concerns, and the competition to deliver more and more capabilities and transparency in software hypervisors is creating a virtual arms race for the virtual desktop. It is amazing to see how far we've come when when you can run apps in two different operating systems simultaneously as they float side by side on the same desktop, allow cross-registration of applications, and share file systems, task bars, paste buffers, etc., etc.

Here's where you get that cake. Rather than continuing to evolve that tightly-coupled fat client architecture you've built a career around (so when are you planning to upgrade to Vista?) or continuing to tell your users that mobility is overrated while you shift client support costs to the network and data center with your antiquated thin client strategy, let's think outside the box for a minute.

Virtualization is about abstraction, and there are several layers where you can exploit abstraction using existing virtualization technologies and products. The most obvious one is between the guest OS and the host OS or hypervisor. This abstraction layer may, for example, allow you to change your client hardware procurement or provisioning model. Even a decision made to leave those business processes alone can be made confident in the knowledge that changing that decision later doesn't require a complete redesign of your client solutions. Some companies are even thinking about discontinuing the practice of providing laptops to mobile workers, opting instead to give them an annual stipend to purchase their own systems with their own OEM support contracts and a host OS they can do with as they please.

Virtualizing the workspace, even if that remains a tightly-coupled OS and application solution stack for the time being, makes that workspace transportable across devices, easier to recover, even potentially resident on a thumb drive. Because the user has a host OS to horse around with, you can finally lock down that work environment like you've always wanted. And, now you can provide a variety of workspaces through virtualization, including productivity and collaboration, engineering, manufacturing/shop floor control, etc. Making the framework of your client more modular means greater agility for your business, and you can finally begin looking at the workspaces you provide as true services.

And what about the tight integration of those applications? Another abstraction layer is between the applications and the guest OS. New and old capabilities and techniques can be employed to virtualize those applications, albeit not without some elbow grease within the greater IT organization to stop developing and/or deplolying proprietary or OS-dependent apps to the client. New IT policies that promote standards and provide guidance about the most appropriate forms of application virtualization and application delivery would be an excellent start. Writing applications on Java VM for example, or at least not using proprietary browser extentions in web apps would go a long way toward making applications available across workspaces and operating systems. Even for natively installed applications, adherence to standard data object types and document formats will provide at least the look and feel of virtualization which may be good enough in some cases. I don't have time or space here to get into the merits of Software as a Service (SaaS), but there is a clear paradigm shift occurring in the application delivery space that can support cross-platform "virtualization" of applications, and new technologies are even allowing for the caching of streamed applications that can run even when disconnected from the network!

Finally, and this may be the hardest abstraction layer of all, there is the holy grail of data virtualization. Imagine thinking about data as being associated with users rather than devices. Why are we still thinking in terms of client backups? I want my data to be available no matter what device I use to run my workspace. If I have a problem with my device or workspace, and a new workspace is provisioned, streamed, or otherwise made available to me, my data should be there as well, protected by some network service responsible for managing my data and serving it up to me no matter what device or workspace I may be using. I must admit that I haven't looked into the options in this area much yet, but I fear this is an area that lacks maturity from a client mobility perspective.

Naturally, there are significant manageability and security implications for this type of architecture. Hey, I never said this was easy! Many products are coming to market, however, to complement virtualization products to fill these needs. Figuring out how to solve these challenges is worth some time and effort. Client virtualization is not a fad; rather it is an evolutionary step forward that will provide IT and the businesses they support with newfound agility and competitive advantage in terms of lower integration costs, faster turnaround time, and improved user experience.