Virtualizing Business Critical Applications is often stopped either by the sudden involvement of security and compliance, a need to better understand, or a need to gain visibility into the underlying security of the virtual environment in order to build new security and compliance models. As we have commented on the Virtualization Security podcast many times, security and compliance teams need to be involved from the beginning. However, this is not a discussion about involvement but about the tools that will help security and compliance to gain the necessary visibility into the security of their virtual environments and therefore allow for the virtualizing of business critical applications. Continue reading Virtualizing Business Critical Applications – Security and Compliance
The 12/13 Virtualization Security Podcast featured George Reese, CTO on enStratus, as our guest panelist. We discussed Cloud API security or more to the point the lack of real cloud API security. To paraphrase George: Some got it, others do not. So what makes up a good cloud API? how can we fix broken cloud APIs? Continue reading Cloud API: In-Security?
On the 11/29 Virtualization Security Podcast Omar Khawaja the global managing principle at Verizon Terremark Security Solutions joined us to discuss Verizon’s 12 step program for entering the cloud (found on slideshare). This 12 step program concentrates on the IT and Security admins working together with the business to identify all types of data that could be placed into the cloud, and to classify that data. Once this is complete, the next steps are to understand the compliance and security required to protect the data and to access the data. It is a Data Centric approach to moving to the cloud. Continue reading 12 Step Program to Enter the Cloud
At a dinner party recently, I was asked “does information want to be free?” This question is based on information that exists within the cloud today or tomorrow: Data in the Cloud. It is an interesting question with a fairly ready answer. Information is Power, it is people not information that controls information. Granted we have a massive abundance of information within the cloud today, is it trying to be free, or are people trying to make it free to everyone? In addition, is all this information even true or accurate? Continue reading Data in the Cloud: Does Information want to be Free?
On the last Virtualization Security podcast, our guest was Robert Rounsavall, CEO of Trapezoid. Trapezoid is looking into how to alleviate supply chain security issues; in essence, the security of the hardware. At many a presentation, I have asked attendees, “Do you trust the hardware?” Many times the answer is that they do; at other times, it is that they do not. Whether you trust the hardware depends entirely on your thoughts with respect to hardware security. But what can you do about hardware security? What is the worst that can happen if the hardware is infiltrated? Continue reading Defense in Depth: Hardware Security
On many a Virtualization Security Podcast I tend to mention that we need greater visibility into the cloud to judge whether Cloud Service Provider security measures are good enough. But why should we bother? I am not saying we should not be concerned about a cloud’s security but that we should as tenants be concerned with clouds meeting our security, compliance, and data protection policies and requirements. Will a cloud service provider ever be able to meet a specific organizations requirements as well as the cloud service providers policies and compliance? Continue reading Gaining Visibility into The Cloud: Migration and Security