Autonomic security, AKA, self-healing, self-defending, situation aware security, or feedback-based security management, has long been a dream in distributed IT computing.  It could be the reason that this dream was not realized is that it is too hard to do in distributed computing.

 Enter virtualized computing, with centralization and much greater control over the [wily careless security-ignorant only-cares-about productivity] user.  Now does that change the complexion of the problem?

 The enemy is the usual: malware, such as worms, viruses and trojans, plus future attacks we don’t even know about now.   Malware designers unfortunately have the upper hand, with ever stealthier approaches to evil.  Most security countermeasures are simply responses to known threats.  Thus the bad guys are controlling the game.

With virtualized computing, IT asserts more control.   Might it not be possible to realize autonomic security more effectively?  One of the problems distributed computing has is relentless complexity and lack of control.  With distributed computing, the end user is in the driver’s seat!  Maybe if all end users were very diligent about security this would be fine.  This is sadly not the case.

 Autonomic security affords the luxury of not relying on a human to notice things are stealthily going amok.  It is possible to monitor what is going on in the network, applications, OS’s, processors, and so on.  With a virtualized environment, does this not become easier?

To be clear, it is possible autonomic computing actually creates additonal security challenges, dong things automatically like changing system configurations, interconnections and so on, creating interesting entrees for malware designers.

I’d very much enjoy a dialog on the following thought: in a centrally controlled virtualized environment, is security innovation possible?  Given that we can get better information about what is going on, for example anomolous behavior such as a processor being hit abnormally, or other anomolies such as buffer overflows or abnormal accesses or sensitive data being touched in any way, could we not modify the enterprise security policy on the fly?  Could we have software to look at the collective of information now at our fingertips and change security policy appropriately? 

 The model I have in mind is human behavior.  If you are walking down the street and it’s daytime, and it’s a cheerful sunny day, and nothing suspicious is going on, we behave in a way to maximize productivity and pleasure.  In contrast, if you’re walking down the street and it’s dark and late, and there are strange- looking people about, and they are looking at you with too much interest, your security posture changes and security becomes more important than productivity and pleasure (until you get out of the situation.)

So could we not use that model and have an adaptive security policy that intelligently changes, based on the information available.  Not attacks per se, as there is software that does that already.  What if we could look at the health of the network and applications and decide that situation is not normal and a more restrictive security policy is now required?  Productivty and pleasure take a back seat when it’s “code red”.

I’d like to hear from folks with thoughts in this area!