There are many SaaS and Security SaaS cloud services out there, but they all lack one thing: full visibility. Why do these cloud services limit the ability to perform compliance auditing, forensics, and basic auditing against an organizations data retention, protection, and other necessary policies? Why not just grant the “right to audit”, or better yet, build a way for each tenant to perform their own audit down to the hardware? Why limit this by leaving it out of contracts as well as the technology? It is all feasible.
Articles Tagged with Compliance
At the end of last year and the beginning of this year the Virtualization Security Podcast featured two very different guest panelists to discuss cloud security, policy, and compliance: Phil Cox, Director of Security and Compliance at RightScale, joined us for the last podcast in 2011 and the George Gerchow of VMware’s Policy and Compliance Group, joined us for the first podcast of 2012. We asked is the public cloud ready for mission critical applications. The answer was surprising. Have a listen and let us know your thoughts.
As a delegate for Tech Field Day 6 in Boston, I was introduced to several virtualization and performance management tools from vKernel, NetApp, Solarwinds, Embotics, and a company still in stealth mode. With all these tools and products I noticed that each was not integrated into the roles and permissions of the underlying hypervisor management servers such as VMware vCenter, Citrix XenConsole, or Microsoft System Center. This lack of integration implies that a user with one set of authorizations just needs to switch tools to gain a greater or even lesser set of authorizations. This is not a good security posture and in fact could devolve any security to non-existent.
In 2008 Tripwire made itself known in the virtualization space with the release of two free tools, Tripwire’s ConfigCheck and OpsCheck. By the time 2009 came around, Tripwire was getting itself fully established in the virtual space for the release of its new product, Tripwire’s vWire. vWire was released in the summer of 2009 and then killed by the end of that year as Tripwire shifted its focus to an acquisition it made for log management to expand the capabilities of its flagship product, Tripwire Enterprise.
Although Tripwire seemed to completely drop of the face of the earth, at least from the virtualization space, they continued to grow and expand in the Security and Compliance space led by the continued success of Tripwire Enterprise. All seemed to be going well for Tripwire as they filed for an IPO with the SEC and continued on its way to going public.
It seems those plans for going public have changed, or at the very least, delayed. It has been announced that the private equity investment firm Thoma Bravo has entered into an agreement to purchase Tripwire Inc for undisclosed terms. Thoma Bravo has quite the portfolio with investments in companies like Attachmate Corporation, LANDesk Software Inc. and SonicWALL Inc. to name a few. I do not think Tripwire Inc will focus on the virtualization space specificately and will continue down the path of being able to monitor and report on as many different types of hardware in the infrastructure that it can. It’s lack of focus on cloud computing or virtualization in general may really come back to haunt Tripwire in the near future, but they are jumping on to the bandwagon by changing the marketing approach to add mention of the securing the cloud. “Secured by Tripwire – IT Security and Compliance for Cloud and Managed Service Providers”. I really think Tripwire is going to have to work on expanding its own portfolio itself by continuing to innovate and expand its horizons. I was working for Tripwire throughout the creation and release of vWire and have nothing but good things to say about the people and the company itself. I found Tripwire to be an absolutely wonderful place to work and I wish them well and continued success moving forward.
Last year there was a rush of investment in the virtualization security startups which led to some interesting team-ups:
- HyTrust was invested in by Cisco and others.
- Altor Networks was invested in by Juniper and teamed up with Juniper as well.
- Reflex Systems teamed up with Tipping Point.
Missing from this list until now was Catbird Security. Their continuous compliance products where however picked up by some rather large customers: Amazon and many government agencies.
Catbird and HyTrust have teamed up to deliver a product that provides front-end access and compliance control for well understood actions via HyTrust, for all other actions, including intrusions, Catbird Security provides compliance control, firewall, IDS, and IPS. In other words, proactive security via HyTrust and reactive security via Catbird.
When working with VMware ESX there are some tips that I can share that can help you manage your environment. This tips are not anything really new or exciting but rather a reinforcement of some best practices to live by in order to improve auditing for compliance and troubleshooting. Use of the following in conjunction with remote logging functionality will improve your compliance stance and improve your ability to troubleshoot over a period of time.
How you may ask? By using a tool that logs all local administrator actions to a remote logging host. There are two ways to do this today for ESX (SUDO and the HyTrust Appliance) and only one mechanism for ESXi and vCenter (the HyTrust Appliance).