Rightscale has been running into a problem with the simplest of auditing requirements: how to know when someone has logged in. This problem spans nearly all their 100s of SaaS providers used to run their business. Where is the ability to do SaaS Auditing?
At the end of last year and the beginning of this year the Virtualization Security Podcast featured two very different guest panelists to discuss cloud security, policy, and compliance: Phil Cox, Director of Security and Compliance at RightScale, joined us for the last podcast in 2011 and the George Gerchow of VMware’s Policy and Compliance Group, joined us for the first podcast of 2012. We asked is the public cloud ready for mission critical applications. The answer was surprising. Have a listen and let us know your thoughts.
As a delegate for Tech Field Day 6 in Boston, I was introduced to several virtualization and performance management tools from vKernel, NetApp, Solarwinds, Embotics, and a company still in stealth mode. With all these tools and products I noticed that each were not integrated into the roles and permissions of the underlying hypervisor management servers such as VMware vCenter, Citrix XenConsole, or Microsoft System Center. This lack of integration implies that a user with one set of authorizations just needs to switch tools to gain a greater or even lesser set of authorizations. This is not a good security posture and in fact could devolve any security to non-existent.
In a recent document written by virtualization.info and Secure Network of Italy entitled Securing the Private Cloud several issues come to mind. While this is a good document on the availability front of virtualization security, I did not read anything that affected integrity or confidentiality. You cannot be secure if you ignore 2 of the 3 tenants of security.
The future of Virtualization and Cloud Security is being worked on today and there are several projects worth watching. Early guidance from these projects will aid your current virtualization and cloud security policies, procedures, plans, and architectures. (A6, DMTF, CSA, PCI, FDIC, etc.)
I was privileged to speak at the 3rd Annual South Florida ISACA WoW! Event with Robert Stroud, Alan Shimel, and other great speakers. What I discovered from this conference is something I have feared for quite a number of years. Compliance actions are not continuous but often only enacted when the auditor shows up at the door. Secondly, very few auditors raised their hand when I asked if they are working with Virtualization or have customers that virtualize, this was quite a surprise.