The Virtualization Practice

Virtualization Security

Virtualization Security focuses upon end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds. Virtualization Security starts where the cloud and virtual environments begin: the end user computing device. ...
We follow the user through the virtual and cloud stacks until they reach the application the user wishes to use to retrieve the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application while maintain strict control of management interfaces. As such virtualization security looks into all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.

With the diversity of cloud’s available today, data being sent from one to another could appear to be a hodge-podge of security. As one colleague put it recently when I asked what he was expecting to maintain integrity of data in motion between clouds:

“… what kind of kludge can things end up being when you have multiple connections to multiple hybrid clouds all doing different things” — Steve Beaver

So how does data transfer between the clouds? Is it a kludge? or can it be done using a uniform security policy, procedures, and protocols while maintaining Integrity and Confidentiality and auditability?

VMware released 3 versions of vCenter Operations, standard, advanced, Enterprise. We have already discussed the abilities of vCenter Operations vCenter Operations – vSphere Performance, Capacity and Configuration Management with Self Learning Analytics but is this an integrated and secure implementation of monitoring or do we need more security than what is provided?

At the time the first article was written there was a bit of vital information we did not have available to us. That is how to access vCenter Operations Standard or Advanced in a multi-tenant manner, that has now been provided. vCenter Operations Alive functionality can be accessed directly from a web browser using your VMware vCenter Credentials, which allows you to see the Alive status of any VM you have the permissions to view. This capability is a huge capability, as it now allows me to provide a non-vSphere Client mechanism to view the status of the virtual environment.

Security as a Service: Is it Safe?

Last week I spoke with two different Security as a Service vendors, each with their own approaches to security as a service. The first company I spoke to was CloudPassage who just exited stealth mode in time for RSA Conference, and Zscaler who is a well known company. Both provide Security as a Service with a similar approach by a different design. Both make use of large grids or computers to do all the heavy lifting of security, but from there they differ completely. While there is some overlap in the products, the different designs show us multiple ways to implement Security as a Service.

I just finished reading, yet another Multi-Tenancy Design/Overview that claims to be secure or trusted. While I will agree that this particular design does cover Availability and some GRC (Governance, Regulatory, and Compliance) it is severely lacking in Integrity and Confidentiality. The design even went as far as saying the cloud/virtual administrator requires “COMPLETE VISIBILITY.” I was really taken aback by those words. Why does an administrator need ‘COMPLETE VISIBILITY?’ Which leads me to the question is Integrity and Confidentiality possible within any cloud or virtual environment? Or is it purely based on TRUST?

If so this is an appalling state of virtual and cloud environment security.

On the 2/24 Virtualization Security Podcast we were joined by Davi Ottenheimer and Michael Haines of VMware to discuss vCloud security. This is of quite a bit of interest to many people these days. As VMware adds more and more Cloud functionality, how to secure the environment is becoming more and more important. The podcast started with the question what aspects of the cloud do customers want secured. The answer was intriguing to say the least.

On the third Virtualization Security Podcast of 2011 we were joined by Charlton Barreto of Intel to further discuss the possibility of using TPM/TXT to enhance security within the virtual and cloud environments. We are not there yet, but we discussed in depth the issues with bringing hardware based integrity and confidentiality up further into the virtualized layers of the cloud. TPM and TXT currently provide the following per host security:

It is often very hard to plan which virtualization and cloud conferences to attend and why. You may need to start your planning now as justification from work could be hard to come by. It may mean you make the decision to go on your own dime. If you do the later, there are some alternative mechanisms that could work for the bigger conferences. The conferences and events I attend every year depend on my status with the organization hosting those events, and whether or not I can get a ‘deal’ as a speaker, analyst, or blogger. So what conferences do I find worth attending? That will also depend on your job role. There is one I would attend regardless of role, and a few I would attend as a Virtualization and Cloud Security person. All are good conferences.

This years Innovation Sandbox at RSA Conference was won by a little know company to virtualization and cloud security vendors, its name is Invincea. However, it makes use of virtualization to aid in security. This years finalists once more included HyTrust for the inclusion of what appears to be complete UCS support within the HyTrust Appliance, Symplified which provides a unified identity within a cloud, CipherCloud which encrypts bits of your data before uploading, but not enough encryption to mess with sort and other algorithms. Plus other non-cloud like products: Entersect (non-repudiation in the form of PKI), Gazzang (MySQL Encryption), Incapsula (collaborative security to browsers), Pawaa (embed security metadata with files), Quaresso (secure browsing without browser/OS mods), and Silver Tail (mitigation).

Unlike last year where there were many virtualization security vendors existed at RSA Conference, there was a noticeable lack of them within booths, yet all of them were here to talk to existing and potential customers. However, there were many vendors offering identity management in the cloud for these I asked the identity management product owners the following question:

How can you prove identity in the cloud?