There are many SaaS and Security SaaS cloud services out there, but they all lack one thing: full visibility. Why do these cloud services limit the ability to perform compliance auditing, forensics, and basic auditing against an organizations data retention, protection, and other necessary policies? Why not just grant the “right to audit”, or better yet, build a way for each tenant to perform their own audit down to the hardware? Why limit this by leaving it out of contracts as well as the technology? It is all feasible. Continue reading Offering Cloud Services: Why is it so Limited?
Many of the virtualization security people I have talked to are waiting patiently for the next drop of leaked VMware hypervisor code. But the real question in many a mind is whether or not this changes the the threat landscape and raises the risk unacceptably. So let’s look at the current hypervisor threat landscape within the virtual environment to determine if this is the case, and where such source code will impact. Are there any steps one can take now before the code drop is complete to better secure your environment? Continue reading Will access to VMware’s source code change the hypervisor threat landscape?
While at InfoSec World 2012’s summit on Cloud and Virtualization Security, the first talk was on Securing your data. The second was on penetration testing to ensure that data was secure. In essence it has always been about the data but there is a huge difference between what a tenant can do and what the cloud or virtual environment provider can do with respect to data protection and security. This gap is apparently becoming wider instead of smaller as we try to understand tenant vs cloud provider security scopes. There is a lack of transparency with respect to security, but at the same time there are movements to gain that transparency. But secret sauces, scopes, legislation, and lack of knowledge seem to be getting in the way. Continue reading Tenant and Multi-Tenant Security: It’s All About Scope
VMware’s Project Octopus and others like ownCloud and Oxygen Cloud have stirred some interesting ideas about Application Security. Those applications that make use of SSL, nearly every web application, can make use of secure cloud storage for certificate verification means. What makes SSL MiTM attacks possible, is mostly related to poor certificate management. If there was a way to alleviate the need for the user to be involved in this security decision, then SSL MiTM attacks would be significantly reduced. Continue reading Application Security using Secure Cloud Storage
The 3/22 Virtualization Security Podcast brought to light the capabilities of Symantec Critical System Protection (CSP) software. This software successfully implements a manageable version of mandatory access control policies based on role-based and multi-level security functionality within the virtual environment, more specifically on those systems that are critical to the well being and health of your virtual and cloud environments such as all your management and control-plane tools (VMware vCenter, Microsoft SCVVM, XenConsole, etc.). In addition, Symantec CSP will monitor your virtualization hosts for common security issues. This in itself is great news but why are we just hearing about this now? Is this a replacement for other security tools? Continue reading Improving Virtualization and Cloud Management Security with Symantec CSP
The 3/8 Virtualization Security Podcast held a discussion on the happenings as the 2012 RSA Conference in San Francisco as well as a discussion of the features of Bitdefender’s entry into the virtualization and cloud space with their SVE product. RSA Conference high lights not just those security tools for the virtualization and cloud spaces but the entire industry and each year there is always a common theme. Was there one this year? Was there any surprises at the conference? Continue reading RSA Conference Recap and Bitdefender SVE