The 3/7 Virtualization Security Podcast featured Andi Mann, VP of Strategic Solutions at CA Technologies, and RSA Conference. The conversation was lively and I invited Andi Mann due to a previous day tweet chat about cloud security. Lately, I have had several serendipitous conversations on cloud security from TweetChat, to in face discussions with @Qthrul, and meeting @MrsYisWhy in person. Each conversation has been about Cloud or Virtualization security in some form. Let me delve into them a bit more.
The TweetChat started by @CloudCommons using the hashtag #CloudViews (http://www.ca.com/us/lpg/cloud/cloud-views.aspx and http://smartenterpriseexchange.com/groups/cloud) brings together cloud luminaries and regular folk in a discussion about cloud in short 140 character statements. Questions on the Tweet Chat that brought Andi Mann to the Virtualization Security Podcast, ranged from Who is Responsible for Cloud Security to the common question of what is the need for cloud security. There were simplistic answers from Everyone and Everything to The Board of Directors and a view into how the cloud works, its requirements, etc. When it comes to Cloud Security some folks want to dial to eleven while others have no real care and Trust everything, even so they want to verify cloud security (at least to meet compliance requirements).
@Qthrul (of VCE)
At SXSW, Jay and I met up briefly and had a short conversation on cloud security. Or more to the point the lack of ability to prove identity in the cloud. We still do not know who is at the other end of the smart phone, who actually sent that email, and who is using a service. All we know is that someone is. The conversation while short was enlightening as the conversation ranged to secure phones that required bio, the phone, and knowledge factors to use. If you can cover all three factors of authentication then there is a very good chance we can identify who is using the device and therefore the cloud service. The problem is making this part of the device in an easy to use method. Perhaps we need a special case design for secure phones that is integral to the device (having it removable would not be good as you then have to worry about it moving from device to device, etc.)
@MrsYisWhy (of PacketPushers Podcast)
This conversation was very interesting as it reinforced my thoughts that the virtualization and cloud security conversation is in a reset state. There are ground breaking companies that embrace virtualization and can get past the 30% virtualized barrier and when they do, they can get to 90% or greater very quickly, but these were early adopters probably 2 years along the track. While many more companies are getting stuck at 30% virtualized due to security concerns that have already been hashed out by others. We are now in a reset due to this and there is a need to re-visit the conversation. While this seems like a step backwards it is really a step in the proper direction and implies virtualization is so main stream that everyone is now involved in some way. But it also means that we need to keep moving forward and the security and virtualization folks need to work as a team to move the ball forward.
Amazon Web Service at SXSW
I found out more about how Amazon implements their cloud security mechanisms at this SXSW show than any other show and conversation. In the past when Amazon was asked about security they would point to a bunch of documents that outline their SAS70, SOX, and other Compliance requirements. However, this time there was a real conversation about how they separate duties and who can access what and from where. Items that are not necessarily within compliance documents. This is all very good stuff, if Amazon is ready to discuss how they do things, then there is a shift in the market and we have more ways to verify a public cloud: Trust but Verify.
Serendipity or not, these conversations have been valuable to me and I wanted to share the concepts with you. Please check out @CloudCommons (#CloudViews) on Twitter as the conversations are lively and interesting. I will be taking many of these to heart as I think about my current designs, architectures, and products that are available. Perhaps we need to think about the virtualization and cloud security problem with a holistic solution of many different vendors and products, ensuring they work together in an automated fashion. We need to solve the identity in the cloud problem while maintaining the other aspects of cloud based defense in depth (protect the data)!
For more on this please check out the following whitepapers written based on a single hybrid cloud reference architecture:
- Secure Hybrid Cloud Reference Architecture
- Using Application Performance Management for Security
- Trend Micro Deep Security Reference Architecture for the Secure Hybrid Cloud
- Symantec: Security Requirements of Hybrid Clouds: A Product Comparison
While the reference architecture will grow over time it is a good start and look at where to place security within virtual and cloud environments. It is one starting point for the ongoing cloud security discussion.