On the December 18 Virtualization Security Podcast, we were joined by Rafal Los (@Wh1t3Rabbit) to discuss whether it is time for CISOs to move on. Should CISOs start to look beyond simply the problems at hand? Should they drive security into all decisions made at the business and architecture levels? The discussion was mixed, to say the least. Continue reading In the New Year, Can CISOs Move On?
There are two distinct points of view when discussing cloud security: the tenant’s point of view, and the cloud service provider’s point of view. Both of these points of view are legitimate, but often one is confused for the other, as we discuss our points of view without really clarifying. However, within each of these points of view are two distinctly different approaches to cloud security.
It is that time of year again, when we see all the new toys, tools, ideas, and processes that make up the show called VMworld. This year, quite a few changes in virtualization security will be discussed by VMware and other organizations that work with virtual and cloud environments. One of the key messages will be that everyone needs to stop treating virtualization security as something unique and different. Instead of this type of treatment, we have been seeing the extension of existing tools and techniques into virtual and cloud environments. Virtualization and cloud security is a natural progression of all organizational security.
Continue reading Virtualization Security at VMworld
It was all over the web on June 18: Code Spaces went off the air, as we discussed during the Virtualization Security Podcast on 6/19. The reasons are fairly normal in the world of IT and the cloud. They were hacked. Not by subverting the Amazon cloud, but in ways considered more traditional—even mundane. An account password was discovered, either by hacking using one of the seven SSL attacks that exist today or by guessing with the help of inside knowledge gained through social engineering. However the account was hacked, the damage was total. While we may all ask why Code Spaces was attacked, we may never know the answer. Nevertheless, in general such attacks are all about the Benjamins. What lessons can we learn about this attack? How can we improve our usage of clouds to protect our own data, systems, and more from similar attacks? Continue reading Lessons We Can Learn from the Code Spaces Attack
Are technology companies in the United States now suffering from a slow and agonizing death? In what is being called “The Snowden Effect,” the infamous former National Security Agency contractor’s disclosures revealing the extent of NSA worldwide spying efforts have prompted companies to avoid or leave US technology firms in droves. This has been especially true with regard to US-based cloud services since it was realized that most of the largest US tech companies’ cloud computing systems have had their data accessed by the NSA. This revelation has caused approximately a ten percent drop in customers from cancelled contracts, according to a survey from industry group Cloud Security Alliance. Some argue that that President Barack Obama has added fuel to the fire of tech industry problems by emphasizing how the NSA surveillance program focuses on people outside of the United States. One of the biggest problems that plague these US companies is the perception that they are giving their data directly to the NSA.
At nearly every conference, we talk about the lowest-hanging fruit of virtualization security, but we often miss the discussion about the lowest-hanging fruit of cloud security. They are not the same. Are we talking about good SSL hygiene? That is a part of it, but there is something even more basic than that. John Dickson, principal of the Denim Group, joined us on The Virtualization Security Podcast to talk about how people are moving to the cloud and the things they miss. Continue reading Lowest-Hanging Fruit of Cloud Security