It has now been a few weeks since RSA Conference 2014. A number of very disparate items to consider were announced at the conference. We covered some of them on the Virtualization Security Podcast held at the NSS Labs hospitality suite at the conference. Yet there is still more to consider. The impact of the solutions presented and the conversations held at the conference are still being worked out. While RSA Conference seemed about one-third mobile, one-third analytics, and one-third everything else, the products below were chosen due to their impact on virtual and cloud environments.
There seemed to be quite a few “foundational” products at RSA Conference this year, specifically, ones that will help to build products but are not for direct use by organizations today. They solve one problem very well and concentrate on that problem. There are a few of those within the list below.
Netronome, a purveyor of silicon for physical network interface cards (NICs), has developed a set of physical NICs that will accelerate Open vSwitch within hardware by moving the data plane directly into silicon. This implies that the software-defined networking (SDN) gateway devices can be moved closer to the virtual networks that will end up using them. This has been a trouble spot for SDN, as the only SDN gateways out there are either unaccelerated virtual machines or physical switches outside the realm of virtual networks. Netronome moves these gateways into virtual switches that reside within the hypervisor. Finally we have a hardware accelerated virtuit al switch. I can see Netronome being used within VMware NSX deployments.
Barracuda NG Firewall Vx is an interesting use of a firewall to span many different data centers and clouds in order to provide a unified virtual and physical firewall layer. The Vx works within Azure, Amazon, VMware vSphere, KVM, and Xen-based clouds to provide secure communications between IaaS locations. In addition, with the use of Barracuda’s application-based link selection (or adaptive WAN routing agents), it allows a disparate hybrid cloud to seem like one data center. In other words, the NG firewalls know where to send data between clouds based on the application, regardless of IP spaces in use. You also get all the other benefits of a next-gen firewall centrally managed from either a cloud or an on-premises location. Barracuda implemented all this using encrypted tunnels between firewall devices; sounds like a bit of SDN to me.
BehavioSec looks at providing a foundational technology on top of which other vendors can build their products. They concentrate on what is termed continual authentication. They measure the rhythm associated with the usage of a device. Not just timing between clicks, but also the motions used, the jitter as a device moves, and many other measurements. This rhythm can be used to identify one user over another and provides an answer to the question, “How can you prove identity in the cloud?” This starts with identifying the user using the EUC device and ends at the intersection of the data, user, and application.
DB Networks released an SQL injection mitigation device that works within a virtual network. Unlike its other devices, which are physical appliances, the virtual version fits either inline or as a proxy between layers of your virtualized application, without needing to route out of your virtual environment to hit the device and return. In addition, the device makes SQL injection mitigation possible for many clouds in which placing a physical device is not an option.
Co3 Systems was in the innovation sandbox with many others, but it brings something different to the security of your environment, virtual or physical. What Co3 brings is an incident response plan with the ability to pull all teams and players together within the plan in a formal way, while providing measurements on the timeliness of such response.
CloudPassage has really grown since the last time I talked with them. CloudPassage now manages firewalls for Linux and Windows, and it provides many other features necessary for cloud deployments, such as file integrity monitoring, event monitoring, vulnerability scanning, configuration security, and multifactor authentication. All of these features can be tied into a single security policy spanning multiple clouds. CloudPassage manages the services within each virtual machine, moving security as close to the application as possible.
There were many other conversations at RSA Conference surrounding encryption and cryptography in general, as well as one of the best answers to my question on proving identity in the cloud (answer: it is a quantum mechanics problem). I even liked the split show floor this year. It was a time to catch up, grease the mental wheels, and decide to move forward. Technologically, we can secure virtual and cloud environments. We now need to solve the politics.
Expect future articles on reverse proxy technology (Adallom, Skyfence), encryption (Vormetric, AFORE, HyTrust, SafeNet), cryptography (weaknesses within VM encryption), and other virtual firewalls (Fortinet, Palo Alto Networks), all with the aim of securing the hybrid cloud and the software-defined data center.