In a posting on his blog, Chris Hoff laid into some comments I made to security SearchSecurity.com, in which I remarked that “Virtualization vendors [are] not in the security business.” 

He quotes me as saying “While virtualization vendors will do their role in protecting the hypervisor, they are not in the business of catching bad guys or discovering vulnerabilities, said Simon Crosby, chief technology officer of Citrix Systems.” and then goes on to berate me for that position.  He says “The fact that the “industry” has “decided” that “third party vendors are required to secure any platform” simply points to the ignorance, arrogance and manifest destiny we endure at the hands of those who are responsible for the computing infrastructure we’re all held hostage with”

I reckon that Hoff, who is normally fairly clued-in,  has put the smoking end of the cigar in his mouth before thinking through this argument.  He’s horribly confused, but as smug as always, so let me clarify what I said, and what it means. 

What I said is that Citrix is not a security vendor for guests of the virtualized infrastructure. We do not spend our days and nights looking for evil types that wish to attack guest OSes by looking for virus signatures or other security techniques.   That is not our business, and never will be. There is a strong and vibrant ecosystem of security vendors whose job it is to protect guest operating systems in physical and now virtualized infrastructure.  There are challenges that arise as a result of virtualization, and we and those vendors will work to fix them, but it is not our role to specifically protect any OS or its applications through OS/app specific knowledge in the virtualization layer.  The industry has long looked to third party vendors to add security to infrastructure deployments.  This is why vendors such as Symantec and McAfee exist – as customers’ preferred partners to implement security for their apps/OSes.  The same will be true for virtualized environments.

In terms of the hypervisor, we are manically focussed on security, as is VMware – though they appear to be more retrospectively focussed on security, judging by their incredible rate of patches (more than one per week, on average). Xen supports TPM, AMD SVM, and Intel TXT, and trusted platform boot using platform based attestation is on the roadmap. Xen does not contain drivers, and implements a multi level secure architecture. The Xen community is putting Xen through common criteria level 5 certification, which is way beyond the typical enterprise software EAL 2, or even VMware’s EAL 4.  Xen implements the features of IBM sHype, and has benefited from contributions of Xen security modules from the NSA and other key security research groups and agencies.  Xen is open source and is available for inspection and testing by the community at all times, so bugs found are quickly fixed and vulnerabilities, should they exist, are rapidly explored.  Xen is massively and continually tested by the community and there are scores of university research projects related to security that use Xen and work on Xen, including honeyfarms, Xen virtual appliances for security and more.  

The largest virtualization deployment in the world, Amazon, uses Xen, and more Xen hosts face the Internet every day than VMware hosts, simply because Xen is open source and available.  Xen is used in most major clouds too, and those folks really care about security.  The community is are justifiably proud of the security record of Xen and its open approach to security research and vulnerability assessment.

The security of any Xen vendor’s product is simply up to them.  Citrix focusses very heavily on the security of XenServer.  it is tiny, often embedded in read only flash on industry standard servers, doesn’t run any network services except for a single secure protocol, and enforces security principles of MLS throughout.   We are proud of the fact that we have only ever issued 3 hotfixes for XenServer, two of which were in beta periods.  Compare that to VMware’s 48 patches for this year alone!  How anyone can consider software that has to be patched at a rate of more than one patch per week to be enterprise class, let alone secure, escapes me.

But we are not in the business of specifically securing guests or their applications, other than through offering a secure virtualization platform.  Even VMware with VMsafe simply exposes APIs to third party security vendors, so that customers can choose their preferred security partner to secure guests.  I think that the VMware Determina acquisition was very smart, and that hints to me that VMware sees itself having a greater role in the security of guest OSes, since it could choose to be in the vulnerability checking business without 3rd party security vendors, but thus far they are working very openly with the ecosystem. 

In summary an assertion that the virtualization platform vendor has to fix the sad state of the OS/App world by making it secure is demanding too much.  It would mean that we have to be experts in every piece of system software including all of the vulnerabilities of all OSes and their apps.  In my view the reason the state of security is poor now is because of the monolithic approaches of traditional OS and app vendors.  We will focus manically on our layer, make it secure, tiny and bulletproof to attack in its own right.  And we will work closely with experts in security of OSes and Apps to give them an opportunity to implement guest-level security outside the guest, through privileged interfaces that themselves are secure.