It is that time of year again, when we see all the new toys, tools, ideas, and processes that make up the show called VMworld. This year, quite a few changes in virtualization security will be discussed by VMware and other organizations that work with virtual and cloud environments. One of the key messages will be that everyone needs to stop treating virtualization security as something unique and different. Instead of this type of treatment, we have been seeing the extension of existing tools and techniques into virtual and cloud environments. Virtualization and cloud security is a natural progression of all organizational security.
Articles Tagged with Xceedium
As your software-defined data center (SDDC) grows, so does the quantity of privileged accounts. This was the discussion on the Virtualization Security Podcast of February 13, 2014, where we were joined by Thycotic Software. Privileged accounts are used by administrators and others to fix issues, set up new users, add new workloads, move workloads around your SDDC, harden those workloads, and perhaps even log in to just pull down logs for further use. The list of reasons to use privileged accounts is as endless as your system administrator’s stack of work. Yet today, almost always, access to these accounts is made by those who know the password.
The hybrid cloud has 100s if not 1000s of APIs in use at any time. API security therefore becomes a crucial part of any hybrid cloud environment. There are only so many ways to secure an API: we can limit its access, check the commands, encrypt the data transfer, employ API-level role-based access controls, ensure we use strong authentication, etc. However, it mostly boils down to depending on the API itself to be secure, because while we can do many things on the front end, there is a chance that once the commands and actions reach the other end (cloud or datacenter), the security could be suspect. So how do we implement API security within the hybrid cloud today?
By far, the lowest hanging fruit of virtualization and cloud environment security is the segregation of your management control from your workloads. Separation of data and control planes has been recommended for everything from storage (EMC ViPR) up to the workloads running within virtual machines. The same holds true for cloud and virtual environment management tools, tasks, and functions. Up to now there have been very few choices in how such segregation could be implemented. They have been limited to using properly placed firewalls or to using some form of proxy, and the only proxy available was HyTrust. But this has changed. There are some other tools that will help with this segregation of data from control; do they give the level of auditing we require to solve the delegate user problem?
As I met with people at RSA Conference last week, the common question was: What was interesting and new? My view was from the world of virtualization and cloud security, which often differs from general or mobile security. This show was more about general and mobile security than it was about virtualization and cloud security due to the confluence of VMware Partner Exchange (PEX) and RSA Conference. There were quite a few things that were new from the show floor, RSA Innovation Sandbox, and other conversations.