Too many times, virtualization and cloud security folks hear that VM Escape is the main worry of security teams. This is far harder to do than most people realize, and requires the attacker to bust through multiple layers of defense in depth! If security teams are worried about VM Escape, then they really do not trust their own defense in depth. They may not even be able to articulate their defense in depth. They may even be confusing VM Escape with Admin Escape. They may just be using this to produce FUD so that they can say no to change. Well, the latter never works. We need to get over this obsession with VM Escape.
Articles Tagged with defense-in-depth
On the last Virtualization Security podcast, our guest was Robert Rounsavall, CEO of Trapezoid. Trapezoid is looking into how to alleviate supply chain security issues; in essence, the security of the hardware. At many a presentation, I have asked attendees, “Do you trust the hardware?” Many times the answer is that they do; at other times, it is that they do not. Whether you trust the hardware depends entirely on your thoughts with respect to hardware security. But what can you do about hardware security? What is the worst that can happen if the hardware is infiltrated?
On many a Virtualization Security Podcast I tend to mention that we need greater visibility into the cloud to judge whether Cloud Service Provider security measures are good enough. But why should we bother? I am not saying we should not be concerned about a cloud’s security but that we should as tenants be concerned with clouds meeting our security, compliance, and data protection policies and requirements. Will a cloud service provider ever be able to meet a specific organizations requirements as well as the cloud service providers policies and compliance?
The 6/14 Virtualization Security Podcast we spoke about firewall placement within the virtual environment as well as storage based defense in depth. While we covered Encryption on the 5/31 podcast, in the 6/14 podcast we covered other measures when dealing with storage (which will be part of a followup post). This conversation was slightly different than all other firewall discussions, as it was about migrating from a physical environment to a virtual environment, and keeping the same firewall placements. Spurred by a customer, we sought to come to a set of guidelines to follow for defense in depth within the virtual as well as physical and hybrid cloud environments.
2011 saw a shift in how virtualization security was viewed and it showed in the way companies teamed up to address those needs. Even so, the most basic of issues still exist: The thought that once you virtualize you are more secure, and the lack of general protection for the management constructs of a virtual or hybrid cloud environments. These two concepts have hindered adoption of virtualization security in 2011. Even so, there has been a steady shift through out the year as more and more companies talk about virtualization security. VMware has definitely lead the pack with its vShield Product line and its unified view of virtualization security. Other hypervisor vendors are also discussing virtualization security through their ecosystem, if not directly. 2011 saw many companies forging their own partnerships to augment and compete in this space. Will the hindrance continue? Will these partnerships continue into 2012? Or will we see more consolidation of the virtualization security market?