Virtualization & Cloud Security Ep 1

We are trying out a new format for the Virtualization & Cloud Security Podcast: video. We’ll post it up on YouTube as well as posting it via Talkshoe and iTunes. In this episode, Mike Foley (@mikefoley) of VMware Technical Marketing joins me to discuss IoT security, the RSA Conference, and hardening guides. We have spoken about the last item quite a few times and featured the RSA Conference on a previous podcast as well. IoT security is now something very interesting.

IoT devices are available for the home, the office, and industry. These devices open new frontiers of security issues, while still maintaining some of the same old security headaches. IoT devices need to handle the following environments and their attendant use cases.

  • Home: Need to protect privacy and home, and to avoid notifying “bad guys” about absences or signaling that someone is home alone
  • Office: Used to track employees and to log in to systems without the need for passwords
  • Industry: Used to control critical physical infrastructure systems, such as power.

All of these security fronts should be protected. In the podcast, we comment on some of the weaknesses we find in home and office systems. Industrial systems and SCADA systems have been covered quite a bit already, so we don’t delve too deeply into them.

We talk about the RSA Conference as well. There is a group of folks who are conspicuous by their absence, and this reflects a change in the conference. The RSA Conference has changed from a technology conference to a marketing conference. I personally go to see the vendors on the show floor and to find out what’s new, like the Innovation Sandbox. For the last few years, the main themes of the show have been reactive rather than forward thinking.

We are in a hole with respect to security, and most people are reacting instead of planning. There is a growing need to plan a systems approach to csecurity instead of reacting and buying the buzzword of the day. I hope to find out if there is a systems approach to security with a mix of vendors instead of one that believes it is the panacea. I do not believe MSPs that specialize in security provide a systems view to security; they are selling their services, not the technology they use. Cloud providers are the same way, or at least the good ones are, such as Virtustream, Amazon, Microsoft, Rackspace, IBM, etc.

How do you approach IoT security? Are you using IoT at home or the office?

Lastly, we talk about hardening guides and how they are targeted to a given product or operating system but don’t provide a systems approach to security. The gaps left by using too many hardening guides are the security gaps that a systems approach should cover.

How do you look at systems security? Are all your policies targeted to products, or do they look at how those products intermix?