The Virtualization Practice

Tag Archive for Secure Multi-Tenancy

Christofer Hoff (@Beaker) and I had a short discussion on twitter the other day about the VMware Cloud Director (vCD) security guidance. We both felt it was a bit lite and missed the point of Secure Multi Tenancy. However, I feel even more strongly that people will implement what is in the vCD Guidance, vBlock Security Guidance, and the vSphere Hardening Guidance, and in effect have a completely insecure cloud. These three guides look at the problem as if they were singular entities and not as a whole.

The Wall Street Journal had an interesting article on the United States General Services Administration has approved the acquisition of some cloud services for use by the Federal Government including many of the Google Apps such as Gmail, Google Docs, etc. Since these services are for sale as well as freely available this sounds more like an admission that they can be used. Will other governments follow suit? But should they be used? That is really the question.

There are two sides to any government, the classified and the unclassified. These are general terms that quantify how the government can use services. While all services require quite a bit of security, classified utilization requires even more, in many cases what most would consider to be “uber-security” requirements. The types of requirements that impact usability in some way. Can these tools provide adequate security?

The Virtualization Security Podcast on 7/22 was all about the news of the week with our panelists discussing how this news affects everyone and anyone with respect to Virtualization Security. The news discussed:

* NIST Released their Guide to Security for Full Virtualization Technologies (Draft)
* There is a Security issue with VMware vSphere 4.1
* VMware discussed the new vShield Zones Edge and vShield App products
* HyTrust and Catbird announced a cooperative effort

Encryption is important, encryption within a VM even more important. But the question is how to do this securely without allowing the encryption keys to be seen by an administrator of the virtual environment and that supports vMotion or LiveMigration. The solution is per VM encrypted memory, but something more robust that makes use of hardware, out of band key exchange, and supports vMotion or LiveMigration.

During the Virtualization Security Podcast on 7/8, Vizioncore’s Thomas Bryant joined us to discuss the state of virtualization backup security and forensic use of such backups. In the world of virtualization, backups are performed mostly by 4 distinct vendors: VMware Data Recovery (VDR) and VMware Consolidated Backup (VCB), Vizioncore vRanger, Veeam, and PHD Virtual Backup for vSphere. Each of these provide the most basic of security capabilities:

* Encrypted tunnels for data movement (SSL)
* Encryption of the backup

But in the increasing global nature of businesses and the difference in privacy laws between townships, states, and the need for Secure Multi-Tenancy, backup companies fall short with their products while making it increasing harder to use backups as a source of forensically sound data.

During the Virtualization Security Podcast on 6/22, Steve Orrin of Intel and Dennis Morreau of RSA joined us to discuss the impact of Intel Westmere chips built-in Trusted Platform Module (TPM) and Trusted Execution Technology (TXT) on Cloud and Virtualization Security. TPM is not all that new, but TXT’s usage in virtualization security is new. Both together can form a hardware root of trust for the virtual environment.

At the moment however, these technologies are limited to just providing a secure launch of a well known hypervisor within the hardware. As such they have not been extended to the virtual machine. TXT however solves a very important issue that at the time the book VMware vSphere and Virtual Infrastructure Security was written had theoretical solutions, I speak of Blue Pill style attacks. There were rumors of Hyperguard or Guard Hype tools becoming available, but they are only research projects. TXT on the other hand, offers protection from Blue Pill style attacks.

Can we use some of this Risky Social Behaviors post to aid us in finding an adequate definition for secure multi-tenancy? Perhaps more to the point it can define how we look at multi-tenancy today. On a recent VMware Communities podcast we were told two things that seem contradictory to current security thinking. The first is that going to the cloud reduces your risk, and the second was that the definition of the cloud must include multi-tenancy.

The panel of the Virtualization Security Podcast on 5/27/2010 was joined by an attorney specializing in the Internet space. David Snead spoke at InfoSec and made it clear that there was more to secure multi-tenancy than one would imagine. The first question was “how would you define tenant?” which I believe is core to the discussion of SMT as without definitions we have no method of communicating. Before we get to David’s response, we should realize that nearly every one has their own definition of Tenant for a multi-tenant solution.