I just finished reading, yet another Multi-Tenancy Design/Overview that claims to be secure or trusted. While I will agree that this particular design does cover Availability and some GRC (Governance, Regulatory, and Compliance) it is severely lacking in Integrity and Confidentiality. The design even went as far as saying the cloud/virtual administrator requires “COMPLETE VISIBILITY.” I was really taken aback by those words. Why does an administrator need ‘COMPLETE VISIBILITY?’ Which leads me to the question is Integrity and Confidentiality possible within any cloud or virtual environment? Or is it purely based on TRUST?
If so this is an appalling state of virtual and cloud environment security.
I participated in GestaltIT‘s TechFieldDay which is a sort of inverse conference, where the bloggers and independent analysts go to the vendors and then discuss the information they have received. We visited the following virtualization vendors:
- vKernel where we were introduced to their Predictive Capacity Planning tools
- EMC where we discussed integration of storage into the virtualization management tools as well as other hypervisor integrations
- Cisco where CVN and CVE were discussed in detail.
At the reception at Fenway Park we also had a chance to further our discussion with all these vendors as well as Akorri with their BalancePoint software.Of these vendors what I found interesting is that all have noticed that Hyper-V is now of interest to their customer base so all either have products ready for Hyper-V or are working on products for Hyper-V. Akorri and vKernel have Hyper-V ready products. Cisco and EMC are working with Hyper-V at some level I suspect.
The Cisco-VMware-NetApp (CVN) was discussed on the Virtualization Security Podcast as it pertains to Secure Multi-Tenancy (SMT). This is a major concern that was also discussed at RSA Conference 2010 within the Cloud Security Alliance Summit. The question still remains how to achieve this goal however. CVN is a very good start, but as we discussed on the podcast is missing some key elements listed below:
- How to define and identify of the various administrator roles: Application Admins, IaaS Administrators, and Cloud Administrations.