On the 8/9 Virtualization Security podcast we continued our discussions on defense in depth with a look at end user computing devices, specifically laptops and end point desktops, with Simon Crosby, CTO of Bromium. While we did also discuss phones and tablets we were focused more on the technology preview that now is Bromium vSentry. Bromium vSentry looks to protect laptops (and others) from unknown and 0-day attacks in a unique hardware assisted way. There is now a new tool in our defense-in-depth toolbox that meets an ever growing need. But what is the need and what is the tool?
On the 7/29 Virtualization Security podcast we continued our discussions on defense in depth. We discussed authentication and authorization with IdentityLogix. IdentityLogix provides a unique solution that correlates users and groups against VMware vSphere’s own role based access control stores. In other words, IdentityLogix can identify if a user or group within active directory has more access to VMware vSphere’s management tools than they were intended to be allowed based not only on the user’s username but on the groups in which the user belongs. Why is this important to know?
Intelligence gathering is an oft overlooked aspect of system and data defense in depth. On the 7/12 Virtualization Security podcast we discussed new and old sources of such intelligence. We were joined by Urvish Vashi, VP of marketing, Alert Logic. Alert Logic has updated their report on cloud based security attacks. Add to this the yearly Verizon Breach and other reports, and we start to have a good handle on intelligence of past and possibly future attacks.
The 6/28 Virtualization Security Podcast we spoke about attacks, defense in depth, and compliance with Davi Ottenhiemer and Matt Wallace. Davi and Matt just published a book on how to defend your virtual environment against attack. Unlike other books, this approaches the problem from the point of view of well know attacks. It even gives examples of some of the more interesting attacks against any of the virtual environments, not just VMware vSphere. The discussion eventually found its way to even newer attacks and their impact on the environment.
The 6/14 Virtualization Security Podcast we spoke about firewall placement within the virtual environment as well as storage based defense in depth. While we covered Encryption on the 5/31 podcast, in the 6/14 podcast we covered other measures when dealing with storage (which will be part of a followup post). This conversation was slightly different than all other firewall discussions, as it was about migrating from a physical environment to a virtual environment, and keeping the same firewall placements. Spurred by a customer, we sought to come to a set of guidelines to follow for defense in depth within the virtual as well as physical and hybrid cloud environments.
The 5/31 Virtualization Security Podcast we spoke to High Cloud Security about encryption as a defense in depth, and where to place encryption within the virtual environment. This lead to an intriguing discussion about what is actually missing from current virtual environments when it comes to encryption. We can encrypt within each VM and we can encrypt within the networking fabric, as well as within the drives themselves, but currently that leaves several vulnerabilities and unencrypted locations that can be used as attack points. While we concentrated on vSphere, what we are discussing applies equally to all hypervisors.