Recently I have had the pleasure of discussing security with a number of cloud providers. Specifically, we talked about what security they implement and how they inform their tenants of security-related issues. In other words, do they provide transparency? I have come to an early conclusion that there are two types of clouds out there: those that provide additional security measures and work with their tenants to improve security, and those who do not. On the Virtualization Security podcast we have discussed this many times, with the conclusion being drawn that many clouds do a better job at security than the average organization does, but that there is no way to know what is implemented, as there is no transparency. Continue reading A Tale of Two Clouds
There has been a dearth of intelligence reporting on cloud services and up until now we had to rely upon the Verizon Breach Report, Alert Logic’s State of the Cloud report, the Enisa and other reports, but even so there was nothing specifically about a given cloud service outside the lightly used Cloud Security Alliances STAR self-certification. Instead you must imply something about a given service. This has changed. Meeting this need is Sky High Networks. Continue reading News: Sky High Networks provides Cloud Service Security Ratings
There are threats to the cloud and there are risks within the cloud. A recent article from Tech Target Search Security blog spurred several thoughts. The main claim here is that there are not enough people who can differentiate threats and risks enough to talk to business leaders who may know very little about security, but do know the business. I have been known to state that there are prominent threats to my data once stored in the cloud and that we should plan to alleviate those threats to reduce our overall risk. But what is the risk?
An analogy comes to mind. Many years ago I ripped my Achilles tendon, and while talking with the doctors they all said that without surgery there was a 50% more likely chance that the Achilles tendon would rip again. So this got me thinking about what they really meant, 50% of what? My next question to the doctors was “how likely is it to fail if I do not have surgery?” Their response was enlightening, there is a 2% failure rate for naturally healed Achilles tendons. Because of that number, I realized that the failure rate for those tendons that undergo surgery is really only 1% vs 2% without. Well that put a different picture on everything. I went without surgery as that particular area of the body has very thin skin, not as much blood flow, and would take a long time to heal from surgery and there was always the risk of picking up something in the hospital, however remote at the time.
So the real question is what is the true risk to an environment if the threat becomes a reality? Continue reading Threats and Risks in the Cloud
On many a Virtualization Security Podcast I tend to mention that we need greater visibility into the cloud to judge whether Cloud Service Provider security measures are good enough. But why should we bother? I am not saying we should not be concerned about a cloud’s security but that we should as tenants be concerned with clouds meeting our security, compliance, and data protection policies and requirements. Will a cloud service provider ever be able to meet a specific organizations requirements as well as the cloud service providers policies and compliance? Continue reading Gaining Visibility into The Cloud: Migration and Security
The Virtualization Field Day delegates joined the Virtualization Security Podcast as guest panelists on 2/23 and the topic of the day was cloud security. There were questions about compliance, security of the tenant, and security of the administrators, and legal issues. There were answers from Rodney Haywood (Rodos), another Virtualization Field Day Delegate and cloud architect as well as the podcast standard panelists. So what did the questions boil down to? Continue reading Virtualization Field Day Delegates Discuss Cloud Security and Compliance
I and others look at Virtualization Security constructs with an eye towards Cloud Security, but they are not necessarily the same. Granted for some clouds, virtualization security can lead to cloud security but this really depends on how the cloud’s architecture. Even so, what we know from Virtualization Security WILL apply to Cloud Security and will be the basis for best practices. But you say, my cloud does not use Virtualizaiton? Ah ha, I say, but it is still a cloud? And that implies there are similar security concerns. This was the discussion on the 1/26 Virtualization Security Podcast. Continue reading Virtualization Security is NOT Cloud Security!