Everyone uses the cloud. It is a plain, simple fact that everyone uses at least one consumer cloud and that those consumer clouds (iCloud, Google, Dropbox, etc.) translate into cloud usage within the workplace. The workforce likes to get its job done, and part of doing that is using the tools they know, regardless of how IT feels about everything. In the past, IT would block access to those consumer-grade tools with the mistaken thought that they were not secure, that data was leaking, or that they were just plain bad to use. That is not the opinion of the workforce. IT did not substitute anything in place of those tools, so in many cases, IT became marginalized, shadow IT propagated, and we are now behind the eight ball when it comes to having a solid plan on how to handle the cloud tools. Because the workforce uses these Software as a Service (SaaS) tools, we are working within the world of the hybrid cloud. Continue reading Ready or Not, Hybrid Cloud Is Here
Have you ever wondered what was going on within a cloud regardless of type? SaaS? PaaS? IaaS? Do you need to audit these environments to ensure compliance with your security policy (not to mention the subset of your security policy that contains regulatory compliance)? To provide solutions for these issues, a number companies both new and old have put forward various tools that utilize proxies, reverse proxies, and transparent gateways to uncover what is happening within a SaaS application. The goal is to know who did what, when, where, how, and hopefully why.
When we look at the Secure Hybrid Cloud, we notice a few things immediately, such as the need to look at how the data is moving, where the users are going, and the fact that they may never touch the data center component of the cloud at all. Our worldview has to change to be more user-, app-, and data-centric. Hybrid cloud security fails if we continue to consider our data center protections enough, as the bastions have moved and we may not know how that happened. Continue reading Hybrid Cloud Security Is Bastionless (or “Who Moved My Moat!”)
The hybrid cloud has 100s if not 1000s of APIs in use at any time. API security therefore becomes a crucial part of any hybrid cloud environment. There are only so many ways to secure an API: we can limit its access, check the commands, encrypt the data transfer, employ API-level role-based access controls, ensure we use strong authentication, etc. However, it mostly boils down to depending on the API itself to be secure, because while we can do many things on the front end, there is a chance that once the commands and actions reach the other end (cloud or datacenter), the security could be suspect. So how do we implement API security within the hybrid cloud today? Continue reading API Security within the Hybrid Cloud
As I met with people at RSA Conference last week, the common question was: What was interesting and new? My view was from the world of virtualization and cloud security, which often differs from general or mobile security. This show was more about general and mobile security than it was about virtualization and cloud security due to the confluence of VMware Partner Exchange (PEX) and RSA Conference. There were quite a few things that were new from the show floor, RSA Innovation Sandbox, and other conversations. Continue reading RSA Conference: What was Interesting