virtualization

...must come down. You know that old saying. I think it was a dude named Newton that first came up with that gravity thing, right? Well it seems that while I was blissfully away at the beach, the virtualization market came back to reality a bit.

Between Diane Greene being thrown out of the VMware car at a high rate of speed and their acknowledgement that VMware revenues will be a bit lighter than expectations over the rest of the year, you get the feeling that a bit of the helium in the virtualization balloon is escaping into the atmosphere.

By the way, that doesn't mean that I don't believe that virtualization is a critical technology and that it's going to be growing quickly for a long time to come. I do. With legitimate competition from Microsoft and Citrix, VMware now has a fight on its hands. Which is great for customers, as pricing will come down and innovation go up. That's they way competitive markets work.

Since I do focus on security, this is just more ammo for me relative to my positions that virtsec is largely a hype market for the next few years. I don't need to rehash that again.

So why bring back up the topic of virtualization? I just like to poke fun at all of the folks that believe the world changes overnight. Yeah, mostly vendors, but the media (and a lot of analysts by the way) are also willing accessories to the crime. Disruption does not happen in the blink of an eye. I believe that old adage that we overestimate change over a two year period, but underestimate change over a decade. I've seen it and lived it, and it will happen again.

In 2018 (as if I could predict further out than breakfast tomorrow), the fundamental computing infrastructure will be radically different. You could guess that a lot of processing will happen in the cloud and that we'll have open (maybe even secure) APIs to weave together our interfaces, logic, and data. Yet things in 2010 will look largely the same as they do today.

Maybe. Who the hell knows? If there is any rationalization I'm coming to grips with is that I'm pretty crappy at predicting.

In fact, we all are. This is going to be a major research focus of mine in the second half of the year. How do we make decisions when we are crappy at predicting the future? Stay tuned for that.

Photo credit: "img_0906" by mbeldyk

After Alan's plea to add some heft to the Black Hat Blogger Network theme of virtualization security, I figured I'd weigh in a bit on the topic. But first, I want to be very clear that I'm not challenging guys that are much smarter than me. Like Hoff and Thomas. Even guys like Greg Ness and John Peterson are correct in their assessments of the number of new attack vectors that virtualization brings to our data centers - even if they are vendors.

So I'm not going to talk about technical stuff. Yet, I do feel compelled to draw the conclusion that despite the dangers, it doesn't matter. All the folks that are trying to make VirtSec into a market are basically just pushing on a rope.

That's right. Now matter how hard you push (or how many blog postings you write), you are not going to make VirtSec into a market for at least 2 years. And that is being pretty optimistic. So for all those VCs that are thinking they've jumped onto the next big security opportunity, I hope your partnership will allow you to be patient.

Again, it's not because the risks of virtualization aren't real. If guys like Hoff and Thomas say they are, then I tend to believe them. But Mr. Market doesn't care what smart guys say. Mr. Market cares about budget cycles and priorities and political affiliations, and none of these lead me to believe that VirtSec revenues are going to accelerate anytime soon.

1. Budget cycles - This is what every optimistic marketer seems to forget. Customers just don't buy stuff. The large ones tend to work in 18 month (at least) budget cycles. Yes, that's too long - but it's reality. Many organizations are still working on that IPS deployment and maybe Web filtering. The idea of something that doesn't have a clear and present danger... not so much.
2. Priorities - Of course, there are exceptions to this budget cycle issue, and that's when something really lifts in priority because of a real high profile attack. Kind of like when anti-spam hit the jets in 2004. It was a big enough problem that demanded a solution. Is VirtSec there? Nope. So most enterprises will buy a VirtSec widget or two, but not go into real deployment until they really have to. But, that can change in an instant if a verified exploit hits.
3. Politics - This is the stickiest issue of them all. Who owns VirtSec? Is it the security guy/gal? Do they really own anything? It's probably a data center thang, but those folks are concerned with other issues (I'll hit that in a minute). What about the network folks, since a VM basically creates a network in the physical enclosure? It's about as clear as mud, and with the lack of clarity, most organizations will opt to do nothing.

Keep in mind how early we are in the adoption of virtualization. Sure, lots of customers are playing around with it. The early adopters are entering massive deployment cycles, but this is not representative of the broad market. Not yet anyway. So we are early, and early markets tend not to worry about security.

It seems the killer need right now for virtualization is VISIBILITY. That's right, increasingly virtualizing your servers creates any number of blind spots that makes operating your infrastructure effectively pretty hard. Now a lot of the VirtSec folks have come to the same conclusion, but like their NBA brethren - they are screwing it up.

Visibility is NOT a security issue - it's a MANAGEMENT issue. Funny how the NBA guys are finally getting there like 7 years later. Security is a tangential benefit, not the customer pain. If you sell a security solution to a management problem, it doesn't work out too well. Why can't these guys figure that out?

It gets back to that ongoing faulty belief that security is cool and that positioning security solutions is the easiest path to success, since everyone is paranoid about hackers and compliance. They are wrong. Very very wrong.

Security is ALWAYS the last thing to get addressed when a new technology hits. The security folks are not consulted when a new application architecture or data center infrastructure technology hits, are they? So why would security be one of the first things to get addressed in the virtualization space? Besides the fact that a bunch of entrepreneurs and VCs want it to be so.

The logical order of things (dramatically simplified) is: innovation -> management -> security (maybe). Pick a new technology and prove to me that the order was different. I dare you!

It will be fun to see yet another generation of folks try to change these universal truths of technology market adoption. Fun for me, but not so fun for the guys that are trying to explain to their investors why the market hasn't taken off.

Photo credit: "David Blaine - no mask" originally uploaded by Mirka23