On the 4/4 Virtualization Security Podcast, Pete Nicoletti, the chief information security officer for Virtustream, joined us to discuss how VirtuStream does cloud security. VirtuStream runs some of, if not the largest SAP installations in the cloud for very large enterprises around the world. The key to VirtuStream is that they are an Enterprise Cloud that looks at everything from the Enterprise perspective, whether that is billing or security. For security, they have implemented many changes required by their customers and allowed the end-enterprise to dial that security to 11 if necessary. But what does VirtuStream do that is different from all others?
Recently I discussed Virtualizing Business Critical Applications and security, which includes availability, confidentiality, and integrity. However, that discussion was more about visibility into the environment for security operations. I purposely left off the discussion of gaining integrity and confidentiality of the data housed within those business critical applications. Security encompasses a great number of technologies, and those that provide integrity and confidentiality often differ from those that provide visibility into an environment which differ from those that provide availability. Continue reading Virtualizing Business Critical Applications – Integrity & Confidentiality
The 5/31 Virtualization Security Podcast we spoke to High Cloud Security about encryption as a defense in depth, and where to place encryption within the virtual environment. This lead to an intriguing discussion about what is actually missing from current virtual environments when it comes to encryption. We can encrypt within each VM and we can encrypt within the networking fabric, as well as within the drives themselves, but currently that leaves several vulnerabilities and unencrypted locations that can be used as attack points. While we concentrated on vSphere, what we are discussing applies equally to all hypervisors. Continue reading Defense in Depth: Encryption within the Virtual Environment
Many of the virtualization security people I have talked to are waiting patiently for the next drop of leaked VMware hypervisor code. But the real question in many a mind is whether or not this changes the the threat landscape and raises the risk unacceptably. So let’s look at the current hypervisor threat landscape within the virtual environment to determine if this is the case, and where such source code will impact. Are there any steps one can take now before the code drop is complete to better secure your environment? Continue reading Will access to VMware’s source code change the hypervisor threat landscape?
Whether or not to put data into the cloud has been a debate since clouds were first formed. At a recent conference I was asked:
with all the security issues you brought up, why should I go to the cloud, I do not know the administrators, nor can I gain cloud visibility, so why go to the cloud at all? and if so which cloud?
There are a myriad of reasons to go to the cloud, not the least of which is politics or being told to go to the cloud. When the real question is:
which cloud services is my organization already using and how can I gain control over the data being placed into the cloud. Continue reading Going to the Cloud Safely
When CloudFoundry was announced, my first thought was this is a nightmare waiting to happen. Why do I think this?Because I was not thinking about Open Source developers but enterprise developers and the biggest issue with enterprise development is that the data used by developers is either made up data, but more often than not is actual production data. So the question becomes how can such data be protected when using PaaS public clouds? Continue reading How to Use the Cloud for Development, Safely