On the 2/24 Virtualization Security Podcast we were joined by Davi Ottenheimer and Michael Haines of VMware to discuss vCloud security. This is of quite a bit of interest to many people these days. As VMware adds more and more Cloud functionality, how to secure the environment is becoming more and more important. The podcast started with the question what aspects of the cloud do customers want secured. The answer was intriguing to say the least.

The answer was surprising but the conversation is one we continually talk about on the podcast. That is one of jurisdiction, compliance, and regulatory requirements. In a side conversation, Davi stated that the cloud providers are really coming to him and saying what do we need, instead of saying here is my policy for the virtual environment does anything need to change for the cloud. In other words, cloud providers are starting with a clean slate.

The clean slate approach may be the best approach going forward as it allows us to concentrate on the areas of most importance while the technology improves to allow for true secure multi-tenancy.

With a clean slate we can think about the real security implications of going to the cloud and determine methods to meet those needs. Some of the concerns are:

  • How to expose GRC data to potential customers? (CloudAudit working group of the Cloud Security Alliance)
  • How to Prove Identity in the Cloud? (RSA and Cloud Security Alliance are teaming up to solve this with other companies)
  • How to keep data within a specific Jurisdiction? (Intel is working on a hardware root of trust to solve this issue)

vCloud or any Cloud Security seems to be more about GRC these days than about CIA. Which is what I find very interesting. Virtualizaiton and Cloud guarantees us Availability, but does not guarantee us confidentiality or integrity. While all the tools as discussed due provide confidentiality and integrity from a tenant perspective. We still need to TRUST the administrators to do things correctly.

The conversation in the podcast ranged all over the cloud security space, yet did not concentrate on this issue but more on GRC. People are worried more about where their data will end up then how it can be attacked. Which given privacy laws and responsibility for the data implies quite a bit. It also implies a level of trust in current cloud security technologies to provide the proper level of security.

Even so a proper cloud architecture that includes security from the beginning is required.

Share this Article:

Share Button
Edward Haletky (372 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization.

[All Papers/Publications...]

Connect with Edward Haletky:


Related Posts:

3 comments for “vCloud Security

Leave a Reply

Your email address will not be published. Required fields are marked *


8 − = four