The Virtualization Practice

Virtualization Security

Virtualization Security focuses upon end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds. Virtualization Security starts where the cloud and virtual environments begin: the end user computing device. ...
We follow the user through the virtual and cloud stacks until they reach the application the user wishes to use to retrieve the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application while maintain strict control of management interfaces. As such virtualization security looks into all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.

Threat Analysis: Layers upon layers

When we think of the threat to a virtual environment or the cloud, what do we think about? First it is important to understand how the cloud is layered ontop of the virtual environment. Given a cloud stack, where are the entry points for SaaS, PaaS, IaaS, and Cloud management? At the recent Minneapolis VMUG I attempted to relay that information to the attendees. Once we understood the layers we could then concentrate on the threat vectors to the cloud and virtual environment.

In the last Virtualization Security Podcast on 12/16 we had with us James Urquhart who manages cloud computing infrastructure strategy for the Server Provider Systems Unit of Cisco Systems. Author of the popular C|NET Network blog, The Wisdom of Clouds. James shared with us some of his Wisdom over the hour. The discussion covered what is preventing people from Entry into the Cloud and why private and hybrid clouds are going to stick around for quite a while and are not a passing fad. We answered the question of why people are reluctant to enter the cloud.

Blade Physical-Virtual Networking and Virtualization Security

I have been thinking about blades and virtualization security for some time spurred on by a conversation with Brad Hedlund six months ago. Nearly all my customers use Blades and virtualization security is a big concern to them. In my Rethinking vNetwork Security article, I touched on some of the issues in response to Brad’s comments a while back. I would like to now expand that discussion to blades.

There are three sets of blade enclosures I would like to discuss, those that use pass thru networking, those that use standard switching fabric within the enclosures, and those that use flexible interconnects such as HP Flex-10 and Cisco Palo adapters. The last is the so called physical-virtual network device.

In the last Virtualization Security podcast on 12/2 we had with us members of the PCI DSS Virtualization Special Interest Group (SIG). Kurt Roemer of Citrix and Hemma Prafullchandra of HyTrust joined us to discuss the differences to the PCI DSS 2.0 with respect to virtualization. In essence, PCI DSS explicitly calls out the need to bring virtualization, people, and processes in scope.

As we discussed in a previous article, the PCI DSS 2.0 does not state exactly what needs to be assessed within the virtual environment, or even what part of the virtual environment is a concern of each aspect of the PCI DSS. What the PCI DSS 2.0 does do is change the language, however subtle, that technologies employing shared resources are now acceptable.

The PCI Security Standards Council published its latest PCI guidance in the form of PCI DSS 2.0, but quickly followed up with the document Navigating the PCI DSS v2.0. The Navigating document is very important to those who have virtual systems as it contains the basic guidance about virtualization while PCI DSS 2.0 does not provide anything specifically geared towards virtualization. However, there is an adjunct document that does layout PCIs thoughts on virtualization. This is stated within the Navigating the PCI DSS (v2.0) document.