On the third Virtualization Security Podcast of 2011 we were joined by Charlton Barreto of Intel to further discuss the possibility of using TPM/TXT to enhance security within the virtual and cloud environments. We are not there yet, but we discussed in depth the issues with bringing hardware based integrity and confidentiality up further into the virtualized layers of the cloud. TPM and TXT currently provide the following per host security:
Virtualization and Cloud Conferences for the Year
It is often very hard to plan which virtualization and cloud conferences to attend and why. You may need to start your planning now as justification from work could be hard to come by. It may mean you make the decision to go on your own dime. If you do the later, there are some alternative mechanisms that could work for the bigger conferences. The conferences and events I attend every year depend on my status with the organization hosting those events, and whether or not I can get a ‘deal’ as a speaker, analyst, or blogger. So what conferences do I find worth attending? That will also depend on your job role. There is one I would attend regardless of role, and a few I would attend as a Virtualization and Cloud Security person. All are good conferences.
Invincea wins Innovation Sandbox at RSA Conference 2011
This years Innovation Sandbox at RSA Conference was won by a little know company to virtualization and cloud security vendors, its name is Invincea. However, it makes use of virtualization to aid in security. This years finalists once more included HyTrust for the inclusion of what appears to be complete UCS support within the HyTrust Appliance, Symplified which provides a unified identity within a cloud, CipherCloud which encrypts bits of your data before uploading, but not enough encryption to mess with sort and other algorithms. Plus other non-cloud like products: Entersect (non-repudiation in the form of PKI), Gazzang (MySQL Encryption), Incapsula (collaborative security to browsers), Pawaa (embed security metadata with files), Quaresso (secure browsing without browser/OS mods), and Silver Tail (mitigation).
Proving Identity in the Cloud
Unlike last year where there were many virtualization security vendors existed at RSA Conference, there was a noticeable lack of them within booths, yet all of them were here to talk to existing and potential customers. However, there were many vendors offering identity management in the cloud for these I asked the identity management product owners the following question:
How can you prove identity in the cloud?
Distributed Virtual Switch Failures: Failing-Safe
In my virtual environment recently, I experienced two major failures. The first was with VMware vNetwork Distributed Switch and the second was related to the use of a VMware vShield. Both led to catastrophic failures, that could have easily been avoided if these two subsystems failed-safe instead of failing-closed. VMware vSphere is all about availability, but when critical systems fail like these, not even VMware HA can assist in recovery. You have to fix the problems yourself and usually by hand. Now after, the problem has been solved, and should not recur again, I began to wonder how I missed this and this led me to the total lack of information on how these subsystems actually work. So without further todo, here is how they work and what I consider to be the definition for fail-safe.
Knowing where your Data is: Backup Security
On the second Virtualization Security Podcast of 2011, we had Doug Hazelman of Veeam as our guest panelist to discuss backup security. Since most of backup security relies on the underlying storage security, we did not discuss this aspect very much other than to state that the state of the art is still to encrypt data at rest and in motion. What we did discuss is how to determine where your data has been within the virtual or cloud environment. This all important fact is important if you need to know what disks or devices touched your data. An auditing requirement for high security locations. So we can take from this podcast several GRC and Confidentiality, Integrity, and Availability elements