On the June 24, 2014 Virtualization Security Podcast, we discussed SecDevOps with Andi Mann of CA Technologies. Andi pointed out fairly early that he does not like the term or the “DevOpsSec” term. Security needs to be considered at every step of the way, he stressed: neither before nor after Dev, but marching along with DevOps and Agile methodologies. As such, the question that comes to mind is how security can get involved with DevOps and Agile methodologies. So, we came up with some practical advice.
Articles Tagged with Virtualization Security Podcast
On the July third Virtualization Security Podcast, we discussed mobile security with Harry Labana, CPO of CloudVolumes, and Ben Goodman of VMware. Actually, it was not necessarily about mobile security as much as it was about security in accessing corporate data from mobile devices, regardless of device and location of data. What came out of this conversation was twofold: some actionable items you (the end user, security, stakeholders) can take today, and a desire for something more—a way to wrap a security context around some data accessible by any program.
It was all over the web on June 18: Code Spaces went off the air, as we discussed during the Virtualization Security Podcast on 6/19. The reasons are fairly normal in the world of IT and the cloud. They were hacked. Not by subverting the Amazon cloud, but in ways considered more traditional—even mundane. An account password was discovered, either by hacking using one of the seven SSL attacks that exist today or by guessing with the help of inside knowledge gained through social engineering. However the account was hacked, the damage was total. While we may all ask why Code Spaces was attacked, we may never know the answer. Nevertheless, in general such attacks are all about the Benjamins. What lessons can we learn about this attack? How can we improve our usage of clouds to protect our own data, systems, and more from similar attacks?
During the last two Virtualization Security Podcasts, the panel discussed backups as well as scripting related to backups and in general. We went further to discuss the security implications surrounding backups, including whether or not a recovery is required when a site is hacked. The latter raises an important question: what constitutes a disaster that requires recovery? Is recovery needed only for catastrophic failure (which TVP has experienced)? Is it required in response to malfeasance from a disgruntled employee? To an external cyber-attack? Do you classify cyber-attacks as disasters requiring restoration from known-good sources and restoration of data from a backup, or do you use some other means to recover?
Secure multi-tenancy is not just about ensuring security and segregation between tenants. It is also about limiting, auditing, and tracking the activities of a cloud service provider within a tenancy or that touches upon more than one tenant, which of course includes any activity that occurs within the hypervisor, storage, or other layers of the cloud. In the past, I referred to this as the delegate user problem. We were joined by Skyfence (now Imperva) on the April 24 Virtualization Security Podcast to discuss its transparent gateway solution for cloud access, and I had another thought on usage. Perhaps now we can solve the delegate user problem.
It has now been a few weeks since RSA Conference 2014. A number of very disparate items to consider were announced at the conference. We covered some of them on the Virtualization Security Podcast held at the NSS Labs hospitality suite at the conference. Yet there is still more to consider. The impact of the solutions presented and the conversations held at the conference are still being worked out. While RSA Conference seemed about one-third mobile, one-third analytics, and one-third everything else, the products below were chosen due to their impact on virtual and cloud environments.