Recently I discussed Virtualizing Business Critical Applications and security, which includes availability, confidentiality, and integrity. However, that discussion was more about visibility into the environment for security operations. I purposely left off the discussion of gaining integrity and confidentiality of the data housed within those business critical applications.
TVP Tag Archives
Defense in Depth: Encryption within the Virtual Environment
The 5/31 Virtualization Security Podcast we spoke to High Cloud Security about encryption as a defense in depth, and where to place encryption within the virtual environment. This lead to an intriguing discussion about what is actually missing from current virtual environments when it comes to encryption. We can encrypt within each VM and we can encrypt within the networking fabric, as well as within the drives themselves, but currently that leaves several vulnerabilities and unencrypted locations that can be used as attack points. While we concentrated on vSphere, what we are discussing applies equally to all hypervisors.
Will access to VMware's source code change the hypervisor threat landscape?
Many of the virtualization security people I have talked to are waiting patiently for the next drop of leaked VMware hypervisor code. But the real question in many a mind is whether or not this changes the the threat landscape and raises the risk unacceptably. So let’s look at the current hypervisor threat landscape within the virtual environment to determine if this is the case, and where such source code will impact. Are there any steps one can take now before the code drop is complete to better secure your environment?
Going to the Cloud Safely
Whether or not to put data into the cloud has been a debate since clouds were first formed. At a recent conference I was asked:
with all the security issues you brought up, why should I go to the cloud, I do not know the administrators, nor can I gain cloud visibility, so why go to the cloud at all? and if so which cloud?
There are a myriad of reasons to go to the cloud, not the least of which is politics or being told to go to the cloud. When the real question is:
which cloud services is my organization already using and how can I gain control over the data being placed into the cloud.
How to Use the Cloud for Development, Safely
When CloudFoundry was announced, my first thought was this is a nightmare waiting to happen. Why do I think this, because I was not thinking about Open Source developers but enterprise developers and the biggest issue with enterprise development is that the data used by developers is either made up data, but more often than not is actual production data. So the question becomes how can such data be protected when using PaaS public clouds?
Multiple Hybrid Clouds Kludged Together? — Cloud Architecture
With the diversity of cloud’s available today, data being sent from one to another could appear to be a hodge-podge of security. As one colleague put it recently when I asked what he was expecting to maintain integrity of data in motion between clouds:
“… what kind of kludge can things end up being when you have multiple connections to multiple hybrid clouds all doing different things” — Steve Beaver
So how does data transfer between the clouds? Is it a kludge? or can it be done using a uniform security policy, procedures, and protocols while maintaining Integrity and Confidentiality and auditability?