There is a recent CVE (CVE-2016-9962) that directly affects container security. A patch was quickly forthcoming. This raised some interesting concerns. Specifically, how do you patch a container infrastructure? What needs to be patched? The “what” is easy; the “how” is more difficult. As we move to cloud-native applications, where we tear down apps rapidly and restart them from whole cloth, patching is a crucial issue. There is risk here; the question is how to mitigate such risk. How do you patch for future issues? This was the subject of the virtualization and cloud security podcast this week.
Articles Tagged with Risk
In a recent conversation, I was considering the data about data that abounds for any business, organization, or person. A great deal of data is stored and classified as public information. The metadata around that data is becoming increasingly more valuable. Is this data maintained, curated, monitored, and controlled in any fashion? The answer varies among people and organizations. Yet, the real question concerns not the data we know about, but the data we do not know about: the “unknown unknowns.” Is this data a risk to our business, to our family, or to our livelihoods?
I recently had a number of consulting conversations about IT transformation and adding new Security as a Service products to companies’ existing clouds and tenancies. This is the beginning of IT transformation in many cases. A company has realized it needs to provide security to its tenants while using clouds more securely at the same time. This is a hybrid cloud. The company provides a cloud, yet uses tools from Box, Salesforce, Google, Microsoft, and the like. So, where do we start with IT transformation? With architecture that includes security.
There are threats to the cloud and there are risks within the cloud. A recent article from Tech Target Search Security blog spurred several thoughts. The main claim here is that there are not enough people who can differentiate threats and risks enough to talk to business leaders who may know very little about security, but do know the business. I have been known to state that there are prominent threats to my data once stored in the cloud and that we should plan to alleviate those threats to reduce our overall risk. But what is the risk?
An analogy comes to mind. Many years ago I ripped my Achilles tendon, and while talking with the doctors they all said that without surgery there was a 50% more likely chance that the Achilles tendon would rip again. So this got me thinking about what they really meant, 50% of what? My next question to the doctors was “how likely is it to fail if I do not have surgery?” Their response was enlightening, there is a 2% failure rate for naturally healed Achilles tendons. Because of that number, I realized that the failure rate for those tendons that undergo surgery is really only 1% vs 2% without. Well that put a different picture on everything. I went without surgery as that particular area of the body has very thin skin, not as much blood flow, and would take a long time to heal from surgery and there was always the risk of picking up something in the hospital, however remote at the time.
So the real question is what is the true risk to an environment if the threat becomes a reality?
Can we use some of this Risky Social Behaviors post to aid us in finding an adequate definition for Secure Multi-Tenancy? Perhaps more to the point it can define how we look at multi-tenancy today. On a recent VMware Communities podcast we were told two things that seem contradictory to current security thinking. The first is that going to the cloud reduces your risk, and the second was that the definition of the cloud must include multi-tenancy.
Risk is measured differently by different groups of people, what may be a risk from a business perspective is a different risk from a security perspective. I would agree that from a business and ROI perspective, the cloud looks very attractive. But the statement you ‘reduce risk by going to the cloud’ without qualifiers such as business risk or security risk is delivering an incomplete message.
Business risk is related to the security risk. If your business depends on the security of your data then using the cloud could be a very risky venture at the moment.
There have been several interesting posts in the blogosphere about virtualization security and how to measure it. Specifically, the discussions are really about the size of the hypervisor footprint or about the size of patches. But hypervisor footprints from a security perspective are neither of these. The concern when dealing with hypervisor security is about Risk, not about the size of the hypervisor or the size of a patch it is purely about the Risks associated with the hypervisor in terms if confidentiality, availability, and integrity. Vendors who claim that security is proportional to the size (in GBs) of the hypervisor footprint are spreading FUD.