On the 4/4 Virtualization Security Podcast, Pete Nicoletti, the chief information security officer for Virtustream, joined us to discuss how VirtuStream does cloud security. VirtuStream runs some of, if not the largest SAP installations in the cloud for very large enterprises around the world. The key to VirtuStream is that they are an Enterprise Cloud that looks at everything from the Enterprise perspective, whether that is billing or security. For security, they have implemented many changes required by their customers and allowed the end-enterprise to dial that security to 11 if necessary. But what does VirtuStream do that is different from all others?
VirtuStream has a series of security partners that separately are pretty interesting for cloud security but together cover a wide range of the Spectrum of Hybrid Cloud Security. Not only do they provide segregation of duties at all levels, logging, but they also provide multiple layers of encryption. In the article Virtualizing Business Critical Applications – Integrity & Confidentiality we discussed encryption up and down the virtual and cloud stacks. VirtuStream encrypts at least within two of the layers within the stack: In App Encryption via Vormetric and via a Virtual Storage Appliance using SafeNet’s Protect-V technology.
Why two levels of encryption?
because not everyone wants to do full disk encryption when they are only concerned about small bits of data within a database, which is where Vormetric comes into play.
In addition to encryption, Virtustream imposes the latest vSphere Hardening Guide onto its host nodes, while limiting downtime. Of course, all changes go through their security lab, that is apparently very well outfitted, before being applied to their Enterprise cloud used by their customers who expect Zero downtime.
All in all, VirtuStream uses its own cloud management tool, Xstream, and in doing so can become hypervisor agnostic. But they still have the same issue as everyone else currently, how to move data between clouds built of disparate hypervisors. While they can, it is still a shutdown and copy.
In short VirtuStream does the following:
- Limits access to virtualization host consoles and treats it as break glass with additional logging
- Limits access to virtualization and cloud management consoles (the lowest hanging fruit of virtualization and cloud security)
- Allows the tenant (which they vet before bringing them into their cloud) to dial the security to 11 if necessary with multiple levels of encryption, network firewalls, IDS, IPS, and other network security tools.
- Log everything! And provide those logs to tenants as necessary (of course currently scrubbed by hand or script)
- Log everything!
Being able to dial security to 11 as a tenant is something I welcome, but it is definitely not for everyone and requires clouds using the latest technologies.
Give the podcast a listen and let me know your thoughts.