When you think of backup security, many people think of ensuring tapes are off-site or even encryption on media, but what is really required for backup security? There is quite a bit going on when someone performs a backup within the virtual environment, so where does security begin and end for making a single or multiple backups?
Articles Tagged with Texiwill
I recently participated in the InformationWeek Dark Security Virtual Event as a panel member with Hoff, Craig Balding, Chris Wolf, Glenn Brunette, and Jon Oberheide. A very far ranging group of individuals from research, security organizations, analysts, and authors. What is interesting is that most of these same people have joined me on the Virtualization Security Podcast, and the others I hope to have as guests next year. There was one question that set me to thinking even more, do we need a new way of thinking about virtualization security?
The last Virtualization Security Podcast covered PCI, Kurt Roemer and Jeff Elliot who were guests represented PCI. PCI as you hopefully know is working on compliance guidance for payment systems running within virtual machines and the cloud. This early discussion is a plea for people to get involved in reviewing the currently developing white-paper. While they could NOT give any actual guidance during the podcast discussion, they did discuss what was covered.
Over the past year or so I have been thinking pretty heavily about the direction networking is taking within virtualization. In some ways, it appears security has been forgotten or relegated to ‘encrypt’ and forget. However, it takes quite a bit of knowledge and time to properly set up the backbone of an ‘encrypt’ and forget approach to network security, so it does not happen automatically. Instead, we have a proliferation of technologies being used to cut down on cable clutter and thereby consolidate the network. These are all very important concepts. Security practitioners like myself realize that this type of consolidation WILL happen. So what tools are required to either ‘encrypt and forget’ or to protect these consolidated networks?
On the Virtualization Security Podcast from several weeks ago, wh had Craig Balding of the Cloud Security Alliance (CSA) and Peter Mell who heads up Cloud within NIST as guests, who announced the availability of the NIST Cloud Computer Definitions as well as some basic guidance around securely using the cloud. While the NIST definitions were available in draft form prior to a few weeks ago, they are now official definitions, and this is a large step forward for the cloud.
There has been lots of debate on whether to place security tools within a virtual environment, whether such tools are needed, and how these tools should work. Since many of these topics were covered by Hoff’s Rational Survivability blog in the past, I will not revisit them. The premise for this discussion is that yes such security tools are needed, that they do need to be redundant, and they are required to be implemented within your environment. We will answer what tools exist that provide Intrusion Protection and Detection within the virtual environment.