The Virtualization Practice

Virtualization Security

Virtualization Security focuses upon end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds. Virtualization Security starts where the cloud and virtual environments begin: the end user computing device. ...
We follow the user through the virtual and cloud stacks until they reach the application the user wishes to use to retrieve the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application while maintain strict control of management interfaces. As such virtualization security looks into all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.

Application Security within the Virtual and Cloud Environments

Virtualization and Cloud Security architects, pundits, and writers like myself often talk about protecting the data within the virtual and cloud environments. However, in order to protect that data we need to be able to determine how the data will be used, accessed, modified, and eventually removed. So, how can we understand data security without understanding the application around it. But there is an even more fundamental problem, how do we define the application and the security measures we should take?

HP Delivers High Performance and Security to Thin Client Line

As Virtual Desktops become standard components of the entire desktop environment there are increasing demands on the end point devices to provide the performance of legacy desktop computers they are replacing. Devices with more memory, faster processors and expandable peripheral device support are quickly replacing the utility devices most associated with thin clients. On Monday February 13, 2012 HP announced the release a new class of thin client devices that are designed to address the end user performance needs and adds security architecture to combat increasing security threats.

The 2/9 Virtualization Security Podcast was a discussion on when would one use a virtual firewall. This was in response to being told that there are some people that would never use a virtual firewall for anything, and that got me thinking. Outside of the politics involved with using virtual vs physical firewalls, when would you use one? What are the cut offs, and best practices around using virtual firewalls. We were joined by Rob Randell of VMware to discuss this point.

I and others look at Virtualization Security constructs with an eye towards Cloud Security, but they are not necessarily the same. Granted for some clouds, virtualization security can lead to cloud security but this really depends on how the cloud’s architecture. Even so, what we know from Virtualization Security WILL apply to Cloud Security and will be the basis for best practices. But you say, my cloud does not use Virtualizaiton? Ah ha, I say, but it is still a cloud? And that implies there are similar security concerns. This was the discussion on the 1/26 Virtualization Security Podcast.

When you read many blogs and articles on cloud security, writers such as myself often mention jurisdictional issues as a big problem. Nor is the ability to Audit clouds the only problem. Yet both of these are huge issues for clouds today, but fundamentally, is the cloud flawed from a security point of view or are there plenty of security mechanisms available?

The answer is to dramatically narrow the scope and set of enforcement actions for SOPA and PIPA so that they target just offshore sites engaged in large scale commercial piracy and so that the existing safe harbor for sites that take content from users is both maintained and formally recognized as an exception to the scope of SOPA and PIPA. This will ensure that law enforcement can go after the really bad actors, and that the many good and useful sites and are the basis of the “good Internet” are not collateral damage in these enforcement efforts.

I was discussing yesterday how to use virtualization and cloud performance management tools as an early warning system for security issues. I have touched on use of New Relic, VMware vFabric APM, Quest vFoglight, and other tools that can make up such a early warning system before, but without the proper process in place, the tools will not be good enough.

At the end of last year and the beginning of this year the Virtualization Security Podcast featured two very different guest panelists to discuss cloud security, policy, and compliance: Phil Cox, Director of Security and Compliance at RightScale, joined us for the last podcast in 2011 and the George Gerchow of VMware’s Policy and Compliance Group, joined us for the first podcast of 2012. We asked is the public cloud ready for mission critical applications. The answer was surprising. Have a listen and let us know your thoughts.

Data Protection techniques should be implemented and tested long before they are needed. This is a necessary component of any IT organization. However, the most recent communities podcast brought to light several implementation aspects of Data Protection, specifically about Disaster Recovery: organizations still do not test their DR plans and organizations are waiting for a hardware refresh to implement a DR plan.