The recent spate of news out of Home Depot and, further back, Target point to the need for better supply chain security. But really, how can we address the issue? There are several answers, but none of them seem feasible in today’s IT environments. Why? They all require open communication, constructive criticism, and willingness to …
TVP Tag Archives
Public Cloud Reality: Reinforced at CSA Summit
I have written about the Public Cloud Reality and the need to bring your own security, monitoring, support. This was reinforced by Dave Asprey of Trend Micro at the last Cloud Security Alliance Summit held at this years RSA Conference. The gist of Dave Asprey’s talk was that YOU are responsible for the security of your data, not the cloud service provider.
Software Defined Security: Is it Achievable?
Cloud based security is about securing the data, yet compliance requirements are often about securing the environment, such as PCI’s requirement for web application firewalls, which protect web servers and perhaps applications and imply protection of data. But they do not directly protect data. How can a Software Defined Data Center implement a form of Software Defined Security automatically to meet not only compliance requirements, but security around a particular mote of data?
Offering Cloud Services: Why is it so Limited?
There are many SaaS and Security SaaS cloud services out there, but they all lack one thing: full visibility. Why do these cloud offerings limit the ability to perform compliance auditing, forensics, and basic auditing against an organizations data retention, protection, and other necessary policies? Why not just grant the “right to audit”, or better yet, build a way for each tenant to perform their own audit down to the hardware? Why limit this by leaving it out of contracts as well as the technology? It is all feasible.
Tenant and Multi-Tenant Security: It's All About Scope
While at InfoSec World 2012’s summit on Cloud and Virtualization Security, the first talk was on Securing your data. The second was on penetration testing to ensure that data was secure. In essence it has always been about the data but there is a huge difference between what a tenant can do and what the cloud or virtual environment provider can do with respect to data protection and security. This gap is apparently becoming wider instead of smaller as we try to understand tenant vs cloud provider security scopes. There is a lack of transparency with respect to security, but at the same time there are movements to gain that transparency. But secret sauces, scopes, legislation, and lack of knowledge seem to be getting in the way.
Virtualization and Cloud Security Projects to Watch
The future of Virtualization and Cloud Security is being worked on today and there are several projects worth watching. Early guidance from these projects will aid your current virtualization and cloud security policies, procedures, plans, and architectures. (A6, DMTF, CSA, PCI, FDIC, etc.)