On January 5, 2016, I was joined by Mike Foley, senior technical marketing architect for VMware vSphere Security, and Kapil Raina, HyTrust VP of product marketing, on the Virtualization and Cloud Security Podcast to discuss moving to a hybrid cloud IaaS model. As always, we strive to provide actionable advice. The key question we tried to answer was “Can you just extend your security into your cloud?” The answer was not as simple as one would expect. Have a listen and let us know what you think. In the meantime, here are our thoughts.
Security focuses on end-to-end security, integrity, auditability, and regulatory compliance for virtualization and clouds, the SDDC, and the secure hybrid cloud. Security starts where the cloud and virtual environments begin: the end user computing device. (Read More)
As part of Security, we follow the user through the virtual and cloud stacks until they reach the application they wish to use for retrieving the data that is important to them. Virtualization and cloud security is implemented where there is an intersection between user, data, and application, while maintaining strict control of management interfaces. As such, we explore all aspects of security devices, tools, controls, and guides that impact or can be used to secure virtual and cloud environments.
Too many times, virtualization and cloud security folks hear that VM Escape is the main worry of security teams. This is far harder to do than most people realize, and requires the attacker to bust through multiple layers of defense in depth! If security teams are worried about VM Escape, then they really do not trust their own defense in depth. They may not even be able to articulate their defense in depth. They may even be confusing VM Escape with Admin Escape. They may just be using this to produce FUD so that they can say no to change. Well, the latter never works. We need to get over this obsession with VM Escape.
Recently, we recorded two virtualization and cloud security podcasts. These podcasts covered what to do after Black Friday and, more recently, what to do before the holiday break. What do you do before and after events? While targeted to specific events, the actionable advice is valid for all events that impact your business. Above all, it is about the business. Security’s goal during these events and breaks is to ensure the business stays running. Much of the advice in these podcasts covers people and process. Technology is there to augment the process. Unfortunately, there is no technology that covers every case. Therefore, you need a good, well-thought-out process.
Symantec has expanded its portfolio by acquiring identity protection firm LifeLock with a $2.3 billion dip into its pockets. Since Symantec divested itself of Veritas at a loss to the Carlyle Group in 2015, it has been looking to move into new markets. It acquired Blue Coat in August for $4.65 billion, a move that was seen to enhance its enterprise offerings.
When investigating the security of various products used on-site, in the cloud, or for clouds, I tend to ask the same set of questions. These focus on identity, compliance, logging, and the like. Specifically, I want to know how the product will integrate with security policy and requirements, as well as with other tools and services in use. Unfortunately, not many pass muster even with regard to these basic questions. Because of this, it is time to define why I ask them, why they are needed, and why you need to consider them as you move forward with your own hybrid cloud products.
Recently, I made two interesting support requests, each to a different company. Both companies asked for the output of many different commands and log files. Both balked once I explained my organization’s security policy. The policy reads simply:
No anonymized data shall be delivered to a 3rd party.
It is a simple statement, but it has a powerful effect on all data being delivered to third parties, even for support. It implies that all user, machine, and service identifiers must be tokenized, encrypted, or outright removed. What must truly remain anonymous within our data? This is not simply a support question, but rather a major issue with all data today. Do we even know what is in our data? Do you?