How VirtuStream does Cloud Security

On the 4/4 Virtualization Security Podcast, Pete Nicoletti, the chief information security officer for Virtustream, joined us to discuss how VirtuStream does cloud security. VirtuStream runs some of, if not the largest SAP installations in the cloud for very large enterprises around the world. The key to VirtuStream is that they are an Enterprise Cloud that looks at everything from the Enterprise perspective, whether that is billing or security. For security, they have implemented many changes required by their customers and allowed the end-enterprise to dial that security to 11 if necessary. But what does VirtuStream do that is different from all others?

VirtuStream has a series of security partners that separately are pretty interesting for cloud security but together cover a wide range of the Spectrum of Hybrid Cloud Security.  Not only do they provide segregation of duties at all levels, logging, but they also provide multiple layers of encryption. In the article Virtualizing Business Critical Applications – Integrity & Confidentiality  we discussed encryption up and down the virtual and cloud stacks. VirtuStream encrypts at least within two of the layers within the stack: In App Encryption via Vormetric and via a Virtual Storage Appliance using SafeNet’s Protect-V technology.

Why two levels of encryption?

because not everyone wants to do full disk encryption when they are only concerned about small bits of data within a database, which is where Vormetric comes into play.

In addition to encryption, Virtustream imposes the latest vSphere Hardening Guide onto its host nodes, while limiting downtime. Of course, all changes go through their security lab, that is apparently very well outfitted, before being applied to their Enterprise cloud used by their customers who expect Zero downtime.

All in all, VirtuStream uses its own cloud management tool, Xstream, and in doing so can become hypervisor agnostic. But they still have the same issue as everyone else currently, how to move data between clouds built of disparate hypervisors. While they can, it is still a shutdown and copy.

In short VirtuStream does the following:

  • Limits access to virtualization host consoles and treats it as break glass with additional logging
  • Limits access to virtualization and cloud management consoles (the lowest hanging fruit of virtualization and cloud security)
  • Allows the tenant (which they vet before bringing them into their cloud) to dial the security to 11 if necessary with multiple levels of encryption, network firewalls, IDS, IPS, and other network security tools.
  • Log everything! And provide those logs to tenants as necessary (of course currently scrubbed by hand or script)
  • Log everything!

Being able to dial security to 11 as a tenant is something I welcome, but it is definitely not for everyone and requires clouds using the latest technologies.

Give the podcast a listen and let me know your thoughts.

Edward Haletky (363 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

Connect with Edward Haletky:

Tags: , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Share

Featured Solutions