SAN FRANCISCO -- Customers and analysts attending VMware's annual VMworld conference here this week wondered repeatedly about how secure virtualization is, although they seem enthusiastic about VMware's technology.
Over 17,000 people are crowded into the conference -- which stretches across all three parts of the Moscone Convention Center -- and the lines for sessions on new tools and techniques are especially long.
VMware is moving to address security, both through new products and partnerships announced this week and an acquisition -- TriCipher, a venture-backed startup in Los Gatos, California, about 30 miles from VMware -- that offers strong authentication and single sign-on for cloud-based and software-as-a-service-based applications, including Google Apps and Salesforce.
"I loved the TriCipher acquisition," says Chris Wolf, an analyst at Gartner. "TriCipher completes the picture -- you can connect to SAAS apps, Xen apps and local apps. It's a big deal for virtual desktops, and obviously other vendors like Microsoft and Citrix will offer similar capabilities -- and I imagine they'll be more transparent in this space. A lot of folks know there's not a complete solution that does everything for a virtual desktop, but they want to place a bet on a vendor."
Still, doubts about both security and compliance with regulations, in industries where they apply, prevent customers from jumping into virtualization with both feet.
"It's not just about the infrastructure and the apps," said VMware CEO Paul Maritz, stressing the importance of working with partners and customers to hammer out the technology. "The bad guys aren't standing still either. Increasingly, there are problems with behavioral security. That's the biggest fear you all have now -- is somebody going bad?"
In a session comparing VMware's security technology with its chief rivals' -- Citrix and Microsoft -- Wolf said that all the vendors are still missing security features, although nothing that Gartner considers critical.
He said customers need to be more aware. They should do a better job of auditing for "rogue" virtual machines -- untrusted virtual machines on a trusted system, especially a desktop - and should store all their virtual machines in a data center so they can control them better and patch them more easily.
They should also know that hardware can affect the performance and security of a virtual machine, and they should ask tough questions of anti-virus vendors, especially if those vendors are redesigning their products to be virtual.
"Ask specific questions -- what can you do on my product?" Wolf said. "Each hypervisor has different capabilities, and the ecosystem (security) vendors can't do everything they say."
But some customers pointed out that virtualization can also make security better. There's more information to work with to determine compliance and analyze threats, and in some situations data can be more easily protected.
"We're in the inner city, and people steal desktops with patient information," said James Philbin, senior director of medical imaging and bioinformatics research at Johns Hopkins. "That's one of our biggest drivers for a virtual desktop - the data never leaves the data center once it hits there."
IT staffs have a toolkit to fight breaches that they've never had before, others said, and CIOs are paying more attention because the penalties for data breaches are bigger than they used to be. "They want to know how to reduce their footprint and the surface area of the exposed data and control who's getting access, whether it's locally on the server or client or in the cloud," said David Ting, the CTO of Imprivata, a VMware partner. "Unattended workstations are locked down."
Ultimately, Maritz said, customers are still getting used to virtualization, and its risks. "A couple years back I was involved with a deal where a technology company wanted to sell service to a telco in Europe, storing that telco customer's information, and the customer wanted unlimited liability. The provider had to swallow deeply and commit. There needs to be a gradation (in these situations) -- no liability and unlimited liability are both wrong answers," he said.