On 10/6 was held the Virtualization Security Podcast featuring Davi Ottenheimer in his role as a QSA. Davi holds down many roles working with companies such as VMware, yet he maintains his QSA credentials and applies his knowledge of PCI Compliance. In this podcast we ask the question, is a virtual environment always mixed-mode and what to do if your QSA does not have the knowledge required to do the job?
On 9/8 was held the Virtualization Security Podcast featuring Phil Cox, Director of Security and Compliance at RightScale, to discuss the impact of and need for automation of cloud security. Given that we create clouds by automating deployment of workloads we also need to automate the security of those workloads during the same deployment. This podcast delves into that need, and touches on where over automation is also a problem.
VMware announced a loosely coupled group of vCloud providers that will use vCloud Connector to loosely couple their clouds, so that VMs can move from vCloud to vCloud without requiring you to renegotiate pricing, capability, and functionality with multiple cloud vendors, just your local one. This announcement is intriguing in that it is a move to push the cloud into the global space, but also fraught with peril if not done correctly.
VMware has acquired one more company: Shavlik. This acquisition did not come as much of a surprise to me but is an interesting purchase for VMware. There are quite a few Security as a Service vendors that would make sense for VMware to purchase and Shavlik is one of them. The difference between the other vendors and Shavlik is that VMware has a existing track record with Shavlik as Shavlik is integral in two of VMware’s existing products: VMware Go and VMware Update Manager. Shavlik provides a very important patch management system for these existing products and is one line of defense in the security space. Are there other plans for Shavlik? Or this is a way to lock in one set of tools?
In my virtual environment recently, I experienced two major failures. The first was with VMware vNetwork Distributed Switch and the second was related to the use of a VMware vShield. Both led to catastrophic failures, that could have easily been avoided if these two subsystems failed-safe instead of failing-closed. VMware vSphere is all about availability, but when critical systems fail like these, not even VMware HA can assist in recovery. You have to fix the problems yourself and usually by hand. Now after, the problem has been solved, and should not recur again, I began to wonder how I missed this and this led me to the total lack of information on how these subsystems actually work. So without further todo, here is how they work and what I consider to be the definition for fail-safe.
Sooner or later that perfect landscape of white is marred by new mounds of snow and clear-cut paths through it to the various locations on the property. When you look at these paths and the snow is high enough, they look like tunnels. The large tunnels (driveway) meet smaller and smaller ones. The perfect landscape of snow is now marred. This is just how a firewall looks when you put holes in it to let through various services. The more services, the more tunnels and paths will be cut. When speaking about the cloud or virtual environments, the increase in paths and entry points becomes a serious issue.