On the June 24, 2014 Virtualization Security Podcast, we discussed SecDevOps with Andi Mann of CA Technologies. Andi pointed out fairly early that he does not like the term or the “DevOpsSec” term. Security needs to be considered at every step of the way, he stressed: neither before nor after Dev, but marching along with…
On June 24, 2014, a former editor of a now-defunct British tabloid newspaper (some will disagree with the use of the prefix “news”) was found guilty of phone hacking. Phone hacking is the practice of intercepting and listening to a phone’s voicemail messages without the owner’s knowledge or permission.
While at VMworld 2013, I started to ask 5 security questions that have been bothering me for some time now. Some of these questions apparently have no answers currently and others only have operational answers, no technology. Security of a secure hybrid cloud is a mix of procedures, policies, operations, and technology. These questions are about various aspects of virtual and cloud environments that have been nagging at me for some time now as well as problems I have faced managing our own cloud instances. Perhaps you have questions you would like to add to the list, if so please share.
At VMworld 2013 and on the Virtualization Security Podcast there were many conversations about VMware NSX. These conversations ranged from how will we implement this new technology to security, scale, and other technical questions. In addition, NSX and what was needed to make it a reality may be the answer to a nagging security question. Brad Hedlund, from the VMware NSX team, joined the Virtualization Security Podcast to share with us some of the details around VMware NSX prior to the podcast.
At the recent Misti Big Data Security conference many forms of securing big data were discussed from encrypting the entire big data pool to just encrypting the critical bits of data within the pool. On several of the talks there was general discussion on securing Hadoop as well as access to the pool of data. These security measures include RBAC, encryption of data in motion between hadoop nodes as well as tokenization or encryption on ingest of data. What was missing was greater control of who can access specific data once that data was in the pool. How could role based access controls by datum be put into effect? Why would such advanced security be necessary?
Is the cloud too much of a good thing? Virtualization and Cloud Computing have been one of the biggest technological advancements of the twenty first century and it continues to grow at an amazing pace. Cloud computing has started to obtain mass appeal in corporate data centers as it enables the data center to operate like the Internet through the process of enabling computing resources to be accessed and shared as virtual resources in a scalable manner. Each day there seems to be a new announcement or press release about a new product or service that has been released utilizing some form of cloud computing and I do not see this trend changing anytime soon.
On the May 30th Virtualization Security Podcast, Michael Webster (@vcdxnz001) joined us Live from HP Discover to discuss what we found at the show and other similar tools around the industry. The big data security news was a loosely coupled product named HAVEn which is derived from several products: Hadoop, Autonomy, Vertica, Enterprise Security, and any number of Apps. HAVEn’s main goal is to provide a platform on top of which HP and others can produce big data applications using Autonomy for unstructured data, Vertica for structured data, Enterprise Security for data governance and hadoop. HP has already built several security tools upon HAVEn, and I expect more. Even so, HAVEn is not the only tools to provide this functionality, but it may be the only one to include data governance in from the beginning.
I recently read the book Project Phoenix by Gene Kim, Kevin Behr, and George Spafford. If you are in development, IT, and Security it should be #1 on your reading list. In this book the authors discuss all the horrors we hear about in IT with a clear direction on how to fix them. There is politics, shadow IT, over zealous security professionals, over worked critical employees, lots of finger pointing. But there is a clear solution, at least as far as the story goes. We also know that DevOps works, most of the time.
The software defined data center has the potential to expand the control plane well outside of anyone’s control by the simple fact that we do not yet have a unified control mechanism for disparate hardware (networking, storage, and compute), for disparate hypervisors (vSphere, KVM, Xen, Hyper-V), new types of hypervisors (storage and networking), and new ideas at managing SDDC at scale.