Hooray for virtual computing environments!  Freeing the digital enterprise (and users of the digital enterprise) from the shackles of physical platforms and the replication of operating systems and applications everywhere is crucial to capturing the value potential of the “liquid enterprise” (see Volume 5 of the Digital Trust series).  But the payoffs of a liquid enterprise cannot be created and sustained unless there is equally liquid security to flow over, through and around the (newly) liquid digital enterprise.

Liquid security is digital trust when time, place and platform are irrelevant.  As long as digital trust remains “liquid,” then the enterprise can indeed create and capture new value with such techniques as dissolving the intranet altogether, letting users apply their own “consumer IT” for their job, and making all kinds of applications and data usable in all kinds of circumstances, regardless of the networking, platform or support environment.  This is the power of liquid security, and virtual computing technology is one clear contributor to that value creation and capture.  When the right kind of digital trust remains liquid, only the application matters.

Hoping the Phantom Remembers Digital Trust
But, as IBM reminds us, “virtual computing environments still need real security.” To that end, IBM has begun a research initiative named Phantom designed to find and fix security vulnerabilities in virtual computing environments.  Now, such an initiative is laudable.  But it is also reminiscent of the “find and fix” vulnerability programs begun and maintained by every operating system and major application vendor worldwide.  In fact, Tuesdays have assumed a whole new dimension on the weekly calendar with the regular release by Microsoft of patches and fixes to vulnerabilities discovered through its “find and fix” program.

Here’s hoping that the Phantom researchers remember the fundamental reasons for virtualization technology, and especially the value creation and capture possibilities with digital trust (in the form of liquid security).  Otherwise, hypervisors and the “applications” that can operate on specific hypervisors will be in danger of becoming as balkanized as operating systems and their own applications. 

While VMware continues to be the most well known virtual computing environment, Citrix/Xen, Microsoft Hyper-V, Oracle VM, Sun xVM, Parallels and a host of other alternatives are pushing hard for market share.  Integrators are lining up with one or more “virtual vendors” to offer design, installation, applications porting and even complete operating services. 

Furthermore, other levels of virtualization for the liquid enterprise are also great sources of liquid security and subsequent payoffs.  RingCube’s MojoPac and RedCannon’s KeyPoint Access illustrate the value of liquid security without having to become “virtual in the extreme.”

Keep Liquid Security Liquid
So, let’s give a hearty “hurrah” for the Phantom, and let’s remind the Phantom that virtual computing environments need not be burdened with exactly the same kind of “real security” that we’ve plowed into operating systems and applications.  While we are researching the vulnerabilities of virtual computing environments, and planning to insert mechanisms to “lock down” hypervisors and virtual machine monitors, let’s also remember to keep liquid security liquid.

The techniques we use for “real” operating systems and applications have led us to “patch Tuesday” and to platform and configuration dependencies that almost make more problems than they solve.  If we follow exactly the same model for our virtual computing environments, then we’ll no doubt end up with a “virtual Tuesday” patching nightmare, compounding the technology update calendar we already must follow.

Only the application matters … only the application matters … only the application matters …