There is a good reason to add functionality to specific types of devices, especially in the network. Doing security at the edge can be highly efficient. Thus, implementing for example PEPs (Policy Enforcement Points) for access management into network access gateways is, from the perspective of efficiency, a pretty good idea. And when looking at what the network vendors like Cisco, F5 Networks, and all the others are doing, the number of add-ons which can be added to these devices and run locally has increased significantly.
Basically the same, still at a lower level, could be observed around VMs. Hypervisors tend to become more capable of doing things. And especially when looking to client-side hypervisors, there is a slight tendency to add more and more features to them - starting with AV done centrally for many machines and probably ending with supporting the standard user interface at some point of time in the future.
However, as well network devices as hypervisors aren't really secure by design. If we look at how many specific tools are out there to better protect these devices or software layers and if we look at the risks around privileged accounts especially for network equipment and VMs, it becomes obvious that there is a gap between what these devices or hypervisors can do and how they are protected themselves. Every new feature also provides sort of a new attack surface - in an environment which isn't the dream of a security guy (maybe it's the dream of an attacker, but that's what we want to avoid).
The best would be to make these devices and software layers secure by design. Granular access control, centralized policy management based on XACML, tightly integrated with the provisioning and PxM (Privileged "whatever - user, identity, access, account" Management), standard auditing interfaces which allow integration across devices from different vendors without heavy integration work at the (still too technical) SIEM layer, and so on.
However, that will take some time. In the meantime there are two things you can do: Balance the values and the risks - can you afford to pay the price in security for better efficiency? And protect these devices consistently by management tools, PxM with support for these devices, maybe together with SSO, and auditing and analysis mechanisms.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Subscribe to our Podcasts
How can we help you