One of the basic tenants of virtualization security is to protect the management components of your virtualization hosts by placing these all important components on a separate network. These components often include management servers such as SCOM, vCenter, XenCenter, VirtManager, etc. as well as the management appliances of your virtualization hosts. In essence, the use of a properly configured, firewalled, and monitored virtualization management network would be the simplest and most effective security measure that can be made to day within any virtual environment. A message shared by Citrix, VMware, myself, and many others.
The problem is that not everything is as black and white as security folks desire. If we implement performance and other management tools, we often need to expose part of our all important virtualization management network to others. But how do we do this safely, securely, with minimal impact to usability? Why do we need to this is also another question. You just have to take one look at the Virtualization ASsessment TOolkit (Vasto) to realize the importance of this security requirement. But the question still exists, how do you implement other necessary tools within your virtual environment without impacting usability? Which we discussed on the May 5th Virtualization Security Podcast.
VMware released 3 versions of vCenter Operations, standard, advanced, Enterprise. We have already discussed the abilities of vCenter Operations vCenter Operations – vSphere Performance, Capacity and Configuration Management with Self Learning Analytics but is this an integrated and secure implementation of monitoring or do we need more security than what is provided?
At the time the first article was written there was a bit of vital information we did not have available to us. That is how to access vCenter Operations Standard or Advanced in a multi-tenant manner, that has now been provided. vCenter Operations Alive functionality can be accessed directly from a web browser using your VMware vCenter Credentials, which allows you to see the Alive status of any VM you have the permissions to view. This capability is a huge capability, as it now allows me to provide a non-vSphere Client mechanism to view the status of the virtual environment.
This years Innovation Sandbox at RSA Conference was won by a little known company to virtualization and cloud security vendors, its name is Invincea. However, it makes use of virtualization to aid in security. This years finalists once more included HyTrust for the inclusion of what appears to be complete UCS support within the HyTrust Appliance, Symplified which provides a unified identity within a cloud, CipherCloud which encrypts bits of your data before uploading, but not enough encryption to mess with sort and other algorithms. Plus other non-cloud like products: Entersect (non-repudiation in the form of PKI), Gazzang (MySQL Encryption), Incapsula (collaborative security to browsers), Pawaa (embed security metadata with files), Quaresso (secure browsing without browser/OS mods), and Silver Tail (mitigation).
Last year’s finalists also had the same reach of products but many more pure virtualization security vendors with Altor picking up the win. What is interesting about the field and indeed all of RSA Conference 2011, is that 2010 looked like a blip on the radar more than anything else. Why? Because nothing on the show floor was really about the Cloud or virtualization but it was always a ready conversation. Last year, everything was about Cloud and Virtualization but no one could define anything or tell me how their products fit except for the virtualization security vendors. The Innovation Sandbox provides a very good feel for the RSA Conference show floor.
I am nearing completion of my ‘dig-out’ from the recent Nor’easter that blew through New England, dumping quite a bit of snow. When you dig out of a snow storm, you start with paths to the garage or car, paths to the utilities, and in some cases paths to the wood pile and other out buildings. Sooner or later that perfect landscape of white is marred by new mounds of snow and clear-cut paths through it to the various locations on the property. When you look at these paths and the snow is high enough, they look like tunnels. The large tunnels (driveway) meet smaller and smaller ones. The perfect landscape of snow is now marred. This is just how a firewall looks when you put holes in it to let through various services. The more services, the more tunnels and paths will be cut. When speaking about the cloud or virtual environments, the increase in paths and entry points becomes a serious issue.
It is the last few days of the year and time for a review of virtualization 2010. Although VMware was founded in 1998 it was not until 2001 that I first heard of VMware and played with the Workstation product to be able to run different flavors of Linux. So for me, 2010 closes out a great year in virtualization as a whole as well as a decade of virtualization… and what a ride it has been!
Staying focused on 2010 we have had a few things that have been worthy to note. This year we have moved past defining what a “cloud” is and really starting to discuss how we are going to “secure the cloud.” The term “cloud computing” still leads the way as one of the biggest buzz word with most all people and companies now having heard of it are planning one way or another on deployment options into their own environments. One thing for sure is the need for fully qualified individuals to maintain and designs the clouds moving forward.
My conference schedule kept pace with the changes in the virtualization security ecosystem throughout the year. What are those changes?
- Auditors were educated at an ISACA event in Florida about the intrinsic security of most modern Type-1 hypervisors. Through out the year we saw auditors educated and becoming more involved in virtualization and cloud security. The advent of CloudAudit and the ISACA and other educational events surrounding virtualization have increased through out the year.