The Virtualization Practice

Virtualization Security

Virtualization Security focuses upon end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds. Virtualization Security starts where the cloud and virtual environments begin: the end user computing device. ...
We follow the user through the virtual and cloud stacks until they reach the application the user wishes to use to retrieve the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application while maintain strict control of management interfaces. As such virtualization security looks into all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.

The October conference schedule is now complete and it was a tough one but very rewarding. The events that happened in October were numerous and overlapping in some cases. Travel was one week here and the next week there, yet we managed to get through it. Of the mass of conferences, I attended two, IPexpo as a guest and The ExecEvent and Hacker Halted as a speaker. I discovered something very strange, virtualization and cloud security are merely after thoughts. I felt this should have changed by now, but alas this is not the case. Is it that our scope is incorrect, or is it that there is no Return on Investment on security tools, procedures, etc?

The Virtualization Practice was recently offline for two days, we thank you for coming back to us after this failure. The reason, a simple fibre cut that would have taken the proper people no more than 15 minutes to fix, but we were way down on the list due to the nature of the storm that hit New England and took 3M people off the grid. Even our backup mechanisms were out of power. While our datacenter had power, the rest of the area in our immediate vicinity did not. So not only were we isolated from reaching any clouds, but we were isolated from being reached from outside our own datacenter. The solution to such isolation is usually remote sites and location of services in other regions of a county, this gets relatively expensive for small and medium business, can the Hybrid Cloud help here?

There have been a large number of Announcements that have been made for VMworld Copenhagen with respect to virtualization and cloud security. This shows quite an interesting growth in the market, and that even 1 month apart there is still more to be announced within the virtual and cloud security spaces. There are three very interesting announcements that show further integration between vendors.

Whether or not to put data into the cloud has been a debate since clouds were first formed. At a recent conference I was asked:

with all the security issues you brought up, why should I go to the cloud, I do not know the administrators, nor can I gain cloud visibility, so why go to the cloud at all? and if so which cloud?

There are a myriad of reasons to go to the cloud, not the least of which is politics or being told to go to the cloud. When the real question is:

which cloud services is my organization already using and how can I gain control over the data being placed into the cloud.

Link your Clouds using AFORE Cloudlink

AFORE Solutions has created AFORE Cloudlink, which won the Best of VMworld for Security at VMworld 2011 in the United States. Yet, many people were scratching their head saying, who are AFORE and why did they win. AFORE moved from a physical appliance to a virtual appliance about 3 years ago providing a way to move data between data centers in an encrypted fashion, which at the time was desperately needed. After three years they have made quite a few changes, but still have their core functionality, but now included data at rest encryption and the ability to stretch layer-2 and layer-3 networks between locations amongst others.

On 9/22 was held the Virtualization Security Podcast featuring Anil Karmel, Solutions Architect at Los Alamos National Library (LANL), to discuss their implementation of secure multi-tenant Cloud. LANL makes extensive use of the entire VMware product suite from vCloud Director down to the vShield components to implement their SMT cloud. They have also added into their cloud their own intellectual property to improve overall cloud security. It was a very interesting conversation about the state of SMT today.

On 9/8 was held the Virtualization Security Podcast featuring Phil Cox, Director of Security and Compliance at RightScale, to discuss the impact of and need for automation of cloud security. Given that we create clouds by automating deployment of workloads we also need to automate the security of those workloads during the same deployment. This podcast delves into that need, and touches on where over automation is also a problem.

“The latest challenge on the security front isn’t necessarily an exotic new threat vector: it’s the attackers themselves. They’re organized, well-resourced and patient. And there’s no silver technology bullet to effectively combat them.”

This is a very important point, and one that I have seen at other security conferences for the last 5 years or so. However, attacks are possible because there is a lack of confidentiality and integrity of the data held within the systems under attack. So the system becomes the week point.