The Virtualization Practice

Virtualization Security

Virtualization Security focuses upon end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds. Virtualization Security starts where the cloud and virtual environments begin: the end user computing device. ...
We follow the user through the virtual and cloud stacks until they reach the application the user wishes to use to retrieve the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application while maintain strict control of management interfaces. As such virtualization security looks into all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.

There is nothing like fully understanding the protections inherent within your vNetwork and the Roles and Permissions you can set within the virtualization management tool suites to ensure your vNetwork is secured, audited, and monitored for issues. Just like you do now within the pNetwork. Unlike the pNetwork, the vNetwork provides a certain amount of introspection and capability that is missing from a pNetwork, and this will also help with security.

Can we use some of this Risky Social Behaviors post to aid us in finding an adequate definition for secure multi-tenancy? Perhaps more to the point it can define how we look at multi-tenancy today. On a recent VMware Communities podcast we were told two things that seem contradictory to current security thinking. The first is that going to the cloud reduces your risk, and the second was that the definition of the cloud must include multi-tenancy.

The security companies are looking into all aspects of virtual environment introspection to label, tag, or mark all objects for compliance reasons, inspect the contents of virtual machines for asset management (CMDB), and an early form of Root Kit detection.

Virtualization Security is not just about the firewall, it is about the entire ecosystem, auditing, compliance, and object management.

While doing a quick Google search to find what a Cloud is, I have found several different definitions which depend on which vendor site you pull up. One thing is for sure despite the frequent use of the term, it still means different things to different people and or companies. For my reference point I am going to use the National Institute of Standards and Technology definition referenced by Texiwill’s NIST Cloud Computing Definitions Final article.

During the Virtualization Security Podcast on 5/13, IBM’s David Abercrombie joined us to discuss IBM’s Virtualization Security Protection for VMware (VSP) which contains several exciting uses of the VMsafe API for VMware vSphere. These being:

* Network: Network Monitoring, Firewall, Access Control, and a Protocol Analysis Module
* Memory: Rootkit Detection

The panel of the Virtualization Security Podcast on 5/27/2010 was joined by an attorney specializing in the Internet space. David Snead spoke at InfoSec and made it clear that there was more to secure multi-tenancy than one would imagine. The first question was “how would you define tenant?” which I believe is core to the discussion of SMT as without definitions we have no method of communicating. Before we get to David’s response, we should realize that nearly every one has their own definition of Tenant for a multi-tenant solution.

When working with VMware ESX there are some tips that I can share that can help you manage your environment. This tips are not anything really new or exciting but rather a reinforcement of some best practices to live by in order to improve auditing for compliance and troubleshooting. Use of the following in conjunction with remote logging functionality will improve your compliance stance and improve your ability to troubleshoot over a period of time.

How you may ask? By using a tool that logs all local administrator actions to a remote logging host. There are two ways to do this today for ESX (SUDO and the HyTrust Appliance) and only one mechanism for ESXi and vCenter (the HyTrust Appliance).

PhD Virtual has gained its second round of funding with investment from Citrix amongst others as discussed within our post News: esXpress is no more but what does this mean for XenServer? Up until this point it looked like Citrix was out of the server hypervisor wars and backing Microsoft’s Hyper-V play. Yet this looks on the surface like a basic shift to that direction. Yes, XenServer was placed into the OpenSource community and the latest improvements, such as the Open VSwitch integration and a new releases emphatically say that XenServer is alive and well and that its ecosystem is growing for that matter so is Hyper-V’s.

Java based applications can now be moved between not only a SpringSource TC-Server Java platform on VMware vSphere, but also between the same platform on VMForce, and now Google AppEngine. This level of support from VMware, Salesforce.com, and now Google is starting to make SpringSource look like the early leading technology for PaaS Clouds. This is a significant advance in the state of PaaS clouds as there were previously no examples that offered such broad support for one platform by such a diverse set of industry leaders. However as is always the case, platform advances have outstripped security, management and performance assurance capabilities.