Rightscale has been running into a problem with the simplest of auditing requirements: how to know when someone has logged in. This problem spans nearly all their 100s of SaaS providers used to run their business. Where is the ability to do SaaS Auditing?
There are many SaaS and Security SaaS cloud services out there, but they all lack one thing: full visibility. Why do these cloud offerings limit the ability to perform compliance auditing, forensics, and basic auditing against an organizations data retention, protection, and other necessary policies? Why not just grant the “right to audit”, or better yet, build a way for each tenant to perform their own audit down to the hardware? Why limit this by leaving it out of contracts as well as the technology? It is all feasible.
At the end of last year and the beginning of this year the Virtualization Security Podcast featured two very different guest panelists to discuss cloud security, policy, and compliance: Phil Cox, Director of Security and Compliance at RightScale, joined us for the last podcast in 2011 and the George Gerchow of VMware’s Policy and Compliance Group, joined us for the first podcast of 2012. We asked is the public cloud ready for mission critical applications. The answer was surprising. Have a listen and let us know your thoughts.
As a delegate for Tech Field Day 6 in Boston, I was introduced to several virtualization and performance management tools from vKernel, NetApp, Solarwinds, Embotics, and a company still in stealth mode. With all these tools and products I noticed that each were not integrated into the roles and permissions of the underlying hypervisor management servers such as VMware vCenter, Citrix XenConsole, or Microsoft System Center. This lack of integration implies that a user with one set of authorizations just needs to switch tools to gain a greater or even lesser set of authorizations. This is not a good security posture and in fact could devolve any security to non-existent.
In around 2008 Tripwire started making itself known in the virtualization space with the release of two free tools, Tripwire’s ConfigCheck and OpsCheck. By the time 2009 came around, Tripwire was getting itself fully established in the virtual space for the release of its new product, Tripwire’s vWire. vWire was release in the summer of 2009 and then killed by the end of that year as Tripwire shifted its focus to an acquisition it made for log management to expand the capabilities of its flagship product , Tripwire Enterprise.
Catbird and HyTrust have teamed up to deliver a product that provides front-end access and compliance control for well understood actions via HyTrust, for all other actions, including intrusions, Catbird Security provides compliance control, firewall, IDS, and IPS. In other words, proactive security via HyTrust and reactive security via Catbird.