Wednesday, February 27, 2008

It’s only natural, I suppose.  When wireless networking started to become popular, it was decried as insecure and everyone was warned against using it.  When mobile computing started to take off, it was proclaimed a terrible security risk, and organizations were warned against it.  And now it’s happening with server virtualization.  Of course, since VMware is the lead player in this realm, they are the ones with the target on their back.

The latest volley comes from a “one-two” punch over the past couple of weeks. First, there was a vulnerability discovered in some of the VMware hosted client products (VMware Workstation and VMware Player); specifically, when using the Shared Folders feature. This feature allows host-to-guest interaction. The press went crazy with this one:

• Critical VMware bug lets attackers zap ‘real’ Windows
• New VMware vulnerability without a patch

Fortunately, some level of clarity has started to prevail about this flaw:

• VMWare Security Crumbling: Not Really
• VMWare getting a lot of bad press

The other “flaw” that’s gotten a fair amount of attention—and hype—is the exploit that can affect VMs during a live migration. Of course, this assumes that necessary steps weren’t taken to protect and isolate the live migration network, as recommended by VMware. I won’t spend a great deal of time on this, since Chris Hoff already said pretty much everything that needs to be said.

So what’s the takeaway from all this? Basically, exactly what Chris Hoff said: Don’t be surprised that your installation is insecure when you haven’t taken the time to implement the correct security controls. If you configure guest-to-host connectivity, then of course you open a channel for some sort of exploit. Best practices would recommend not to configure guest-to-host connectivity. Likewise, if you run the VMotion (or XenMotion) network shared with other traffic, you run the risk of VM state being exposed.

Let’s move past the hype. Just take the time to do your due diligence, pay attention to the security risks of the choices you’re making, and don’t blame the vendor when you don’t follow the vendor’s security recommendations and get an insecure result.

How many readers out there have ever found themselves at a dinner with some professional colleagues? Probably quite a few of you. I had dinner with some SEs from various other resellers and some vendor representatives tonight. It’s a fairly common occurrence, right?

Well, in how many of those situations did you feel you had to mask or withhold your beliefs or your opinions? This could be on any level; perhaps you couldn’t speak your mind about a particular product because you were having dinner with the vendor that makes that product. (No, this doesn’t have anything to do with any recent events.) More to my interest, for those readers who are also Christians, how many of you felt like you couldn’t fully express your Christian values or beliefs at one of these functions?

Now, this may not have been due to any person in particular, or because anyone said anything out loud. But in today’s society, where people are encouraged to be “politically correct” so as not to offend someone, it’s become increasingly rare to see people willing to show their beliefs, their values, their faith in public. It’s increasingly rare to see people willing to “nail their colours to the mast.”

That saying dates from English maritime history (more information here), basically meaning to openly display one’s beliefs. It can also mean a refusal to surrender or submit. My interest lies primarily with the first meaning, although both meanings can be helpful.

I think its time that we put political correctness aside and started taking a stand for our beliefs. And I say that not just from a Christian perspective, but from a professional perspective as well because these two perspectives are connected. They are linked. How? Being honest about who we are and what we believe—again, in a way that is courteous and professional—builds integrity. Integrity creates respect. Your colleagues won’t respect you if you aren’t honest, and if you aren’t being honest about who you are or what you believe then you aren’t being honest at all, IMHO.

Some might say that “transparency” is a good word to use here—we should be transparent and allow our character to be seen by others. Continuing the maritime flag theme, your true colors will come out sooner or later anyway.

If we don’t like a particular product because we don’t agree with the way it works, let’s just say so. We should be honest, because honesty is a Christian trait. Of course, we can do so in a way that is not offensive or rude, but we can and should be honest.

When we’re out at dinner with vendors or colleagues, we shouldn’t be afraid to say a prayer over our meal before eating. Again, we’re allowing the truth of who we are to be seen, and that honesty will generate respect. I believe people will respect you for not being afraid to be who you are.

Personally, I would rather see someone take a stand for something, even if it’s something I don’t agree with, then be wishy-washy and variable. Wouldn’t you? Maybe it’s time we nail our colours to the mast.