On the 2/24 Virtualization Security Podcast we were joined by Davi Ottenheimer and Michael Haines of VMware to discuss vCloud security. This is of quite a bit of interest to many people these days. As VMware adds more and more Cloud functionality, how to secure the environment is becoming more and more important. The podcast started with the question what aspects of the cloud do customers want secured. The answer was intriguing to say the least.
On the third Virtualization Security Podcast of 2011 we were joined by Charlton Barreto of Intel to further discuss the possibility of using TPM/TXT to enhance security within the virtual and cloud environments. We are not there yet, but we discussed in depth the issues with bringing hardware based integrity and confidentiality up further into the virtualized layers of the cloud. TPM and TXT currently provide the following per host security:
It is often very hard to plan which virtualization and cloud conferences to attend and why. You may need to start your planning now as justification from work could be hard to come by. It may mean you make the decision to go on your own dime. If you do the later, there are some alternative mechanisms that could work for the bigger conferences. The conferences and events I attend every year depend on my status with the organization hosting those events, and whether or not I can get a ‘deal’ as a speaker, analyst, or blogger. So what conferences do I find worth attending? That will also depend on your job role. There is one I would attend regardless of role, and a few I would attend as a Virtualization and Cloud Security person. All are good conferences.
• • 3 Comments
The right approach to monitoring a virtual or cloud based environment is to start with a clean sheet of paper, determine your requirements, and assemble a horizontally layered solution out of best of class vendor solutions that address each layer. Vendors should be evaluated on their mastery of one or more layers, their ability to keep up with the change in that layer, and their ability to integrate with adjacent layers.
Unlike last year where there were many virtualization security vendors existed at RSA Conference, there was a noticeable lack of them within booths, yet all of them were here to talk to existing and potential customers. However, there were many vendors offering identity management in the cloud for these I asked the identity management product owners the following question:
How can you prove identity in the cloud?
While we may well be on the road towards VMware becoming the layer of software that talks to the hardware in the data center – removing Microsoft from that role, this is not the end of Windows. If Windows were just an OS, it would be severely threatened VMware insertion into the data center stack. But Windows is not just an OS. Windows is also a market leading applications platform with .NET have a far greater market share and base of developers than vFabric. Windows is also in the process of becoming a PaaS cloud – one that will be living at Microsoft, at thousands of hosting providers, and at probably every enterprise that is a significant Microsoft customer. This incarnation of Windows is at the beginning of its life, not the end.
The next true IT industry revolutionary product will be software, virtualization and cloud technology that does not require underlying physical hardware resources (servers, network and disk storage). While we wait for that revolutionary technology to appear outside of marketing or computer generated animations, there remains the need to protect cloud and virtual environments and their underling disk storage. Underlying disk storage includes among others solid state device (SSD) as well hard disk drive (HDD) and Removable Hard Disk Drive (RHDD) packaged in different types of solutions accessed via shared SAS, iSCSI, FC, FCoE or NAS.
In my virtual environment recently, I experienced two major failures. The first was with VMware vNetwork Distributed Switch and the second was related to the use of a VMware vShield. Both led to catastrophic failures, that could have easily been avoided if these two subsystems failed-safe instead of failing-closed. VMware vSphere is all about availability, but when critical systems fail like these, not even VMware HA can assist in recovery. You have to fix the problems yourself and usually by hand. Now after, the problem has been solved, and should not recur again, I began to wonder how I missed this and this led me to the total lack of information on how these subsystems actually work. So without further todo, here is how they work and what I consider to be the definition for fail-safe.