Virtualization vs. Security

27.01.2011 by Martin Kuppinger

Some days ago, a vendor talked at an analyst meeting about the relationship between virtualization and security. The argument was: At the hypervisor you can combine network security management, server security management and some other aspects of security management – I can’t remember everything. Thus virtualization increases security, because you have one point of control.

Right – as long as you can control what administrators and operators are doing. Unfortunately, that’s not the case in typical virtualization environments. There is no PxM (Privileged Access, Account, Identity, User) Management at all. And in that case, combining everything is a problem, a nightmare from a compliance point-of-view. For sure there is a value in having a single point-of-control, but only if you are able to adequatly control use of this.

I’ve asked the speaker about the solutions around PxM offered by that vendor – there weren’t any.

Without specific virtualization security solutions, PxM being one very important amongst them, there is a virtualization security risk. There is a potential of increasing security by using adequate technology, which is provided by several vendors. But claiming that there is a value of combining a lot of highly elevated administrative actions without being able to manage them doesn’t make any sense.

For a comprehensive overview on what customers expect around virtualization security just have a look at that survey.

And don’t forget to register for EIC 2011 and Cloud 2011.

SAP invests in security technology

20.01.2011 by Martin Kuppinger

SAP recently announced that the they will buy most technology assets from the Swiss-German security specialist SECUDE. The developers and other resources will as well move to SAP, ensuring that as well the software as the “brain”ware is available to SAP. SECUDE provides solutions around SAP for strong authentication, single sign-on, and event management specifically to SAP environments. There is a long-term relationship between both companies, SECUDE being a supplier for many SAP customers in the areas mentioned.

One might argue that this acquisition isn’t a real big deal, compared to BusinessObjects or others. However, it is a strategically important one. SAP will deliver the core functionality of the SECUDE SecureLogin product as standard feature, thus the first time providing front-end security. Overall, the deal appears to be part of a strategic shift towards more “security out-of-the-box” at SAP. Other vendors like Microsoft (out-of-the-box), Oracle or IBM (separate products) have heavily invested in security products in the recent years, in many cases through acquisitions. In the press release SAP mentions that customers demanded additional security functionality. And that is what is really interesting with that deal: Security can’t be left to third parties, vendors have to provide solutions by themselves. Security isn’t the core business (in most cases), but the core business requires security.

However, there will still be enough room for third parties, as long as they focus on security for heterogeneous environments or the niches left by the big players. But providing comprehensive security features is increasingly a must for software vendors in the non-security business. When looking at many products out there, there is still a long way to go to provide security out-of-the-box at an acceptable level. By acquiring SECUDE, SAP has made a significant step forward towards this.

© 2014 Martin Kuppinger, KuppingerCole