The VMworld 2016 conference in Las Vegas, Nevada, gave a great deal of attention to both NSX and security this year. While walking around the Solution Exchange floor, I had the opportunity to stop and talk with Tufin about its Tufin Orchestration Suite, which orchestrates security polices across complex, hybrid cloud, and physical environments.
Articles Tagged with Compliance
In a recent Twitter conversation, I asked if serverless is anything new, and if so, where are the documents expressing what is new about it. I was asked in reply if I needed a document to understand the difference between Uber and taxicabs. That got me wondering: is the serverless movement a business plan, or is it an approach to technology? If it is a business plan, then it is about how to make money; if it is an approach to technology, it is about architecture. It could also be a combination of the two. Serverless is also known as servicefull. But before we delve further, let us consider the difference between Uber and taxis.
A big part of the secure hybrid cloud is the need for multi-tenant analytics to determine when security events and compliance issues happen. However, analytics cover many different aspects of security within the hybrid cloud, from being a control point for compliance to handling vulnerability scanning. What are the requirements for multi-tenant analytics?
There is a dilemma for all tenants of a public or private cloud: Scope. Tenants want everything to be in scope. Cloud Service Providers (CSP) want to limit scope to the bare minimum. What does it mean for a Cloud to be ‘PCI Compliant’, and why is this a requirement for some tenants? The real issue is, what is in scope for PCI-DSS while your data is in the cloud, and how can you as the tenant meet those requirements? Remember, in the cloud, scope becomes a huge issue and a dilemma for the tenant, mainly because they may not know the scope of the cloud provider’s audit and may never find it out. So what is this scope issue and can it be fixed?
We recently moved workloads to the public cloud and the public cloud reality does not match the hype, nor does it match the application security requirements of a small or even large organization. There are two sides to the public cloud security discussion, the one that covers management access and the other that covers application security. For the former, you must trust the cloud, however for the later, you basically get the security you bring to the cloud. The public cloud reality is that you do not magically gain application security when using a cloud.
We opened this years virtualization security podcast with Phil Cox, the “Security Guy” at Rightscale, who is working through a tangled problem to meet compliance and auditing goals within the cloud. Rightscale is a 100% cloud based company delivering a solution that is also SaaS based. As such they often run directly into SaaS related issues. Rightscale has been running into a problem with the simplest of auditing requirements: how to know when someone has logged in. This problem spans nearly all their 100s of SaaS providers used to run their business.