My conference schedule kept pace with the changes in the virtualization security ecosystem throughout the year. What are those changes?
- Auditors were educated at an ISACA event in Florida about the intrinsic security of most modern Type-1 hypervisors. Through out the year we saw auditors educated and becoming more involved in virtualization and cloud security. The advent of CloudAudit and the ISACA and other educational events surrounding virtualization have increased through out the year.
Redwood City-based MokaFive is bringing its year to a close with two major product announcements. Releasing both MokaFive Suite 3.0 as well as its first cloud offering, the MokaFive Suite Service Provider Edition, on the same day.
MOKAFIVE SUITE 3.0
MokeFive Suite is an enterprise desktop management platform that is used to create and administer layered virtual desktop images called ‘LivePCs’ which execute as guests on a type II hypervisor. LivePC images are authored using the MokaFive Creator which also serves as a test platform to simulate and end-users experience. LivePC images can be stored on centralized or distributed file stores. MokaFive also provides support for Amazon S3 storage, which can be of significant value in managing highly distributed environments, or run directly off USB flash drives. MokaFive LivePCs are effectively hypervisor agnostic; support is currently available for VMware’s free Player and the open source Virtual Box. Beta support for Parallels Workstation is new in MokaFive Suite 3.0, and MokaFive’s own bare metal platform will be shipping in Q1 2011.
When we talk about Cloud Security, the main concept is to separate, as an example, Coke from Pepsi. This implies that Tenant’s cannot impact the availability of each others data, the integrity of that data, and the confidentiality of that data. But what does this actually mean? Does this apply to all types of clouds in the same way?
There are three types of cloud families: Private, Hybrid, Public. There are at least 3 types of clouds: SaaS, PaaS, and IaaS. Do the same rules for one cloud family work for all cloud families? as well as for the types of clouds?
I believe the answer is yes.
Christofer Hoff (@Beaker) and I had a short discussion on twitter the other day about the VMware Cloud Director (vCD) security guidance. We both felt it was a bit lite and missed the point of Secure Multi Tenancy. However, I feel even more strongly that people will implement what is in the vCD Guidance, vBlock Security Guidance, and the vSphere Hardening Guidance, and in effect have a completely insecure cloud. These three guides look at the problem as if they were singular entities and not as a whole.
This realization tied to Chad Sakac’s recent discussion on the 9/22 VMware Communities podcast leads me to believe that ‘good enough’ is no longer ‘good enough’ from a security perspective. Chad discussed that there need only be the vCloud Director administrator and the vSphere administrator to do the daily heavy lifting. That there would no longer be the need for a security, network, storage, and system specific administrators. In other words, OPEX savings.
The Wall Street Journal had an interesting article on the United States General Services Administration has approved the acquisition of some cloud services for use by the Federal Government including many of the Google Apps such as Gmail, Google Docs, etc. Since these services are for sale as well as freely available this sounds more like an admission that they can be used. Will other governments follow suit? But should they be used? That is really the question.
There are two sides to any government, the classified and the unclassified. These are general terms that quantify how the government can use services. While all services require quite a bit of security, classified utilization requires even more, in many cases what most would consider to be “uber-security” requirements. The types of requirements that impact usability in some way. Can these tools provide adequate security?
The Virtualization Security Podcast on 7/22 was all about the news of the week with our panelists discussing how this news affects everyone and anyone with respect to Virtualization Security. The news discussed: