Your soul-suckin’ days are over, amigo!

At this year’s RSA conference, Trend Micro announced their new Deep Security 8 antivirus solution. What is revolutionary with this product is that it is the first agentless solution, and designed with virtual environments in mind. So why is this such exciting news for the cloud & virtualization world? Continue reading

It’s 106 miles to Chicago, we’ve got a full tank of gas, half a pack of cigarettes, it’s dark and we’re wearing sunglasses.

With the long weekend looming (well, technically starting today) I thought I would do a nice light post about the state of third party security and virtualization. I still have this debate once and awhile about what is better, vendor integrated solutions such as vShield, or third party solutions from security vendors. So what are the arguments for each side? Continue reading

I guess you picked the wrong god-damned rec room to break into, didn’t you?!

With the recent high-profile breach of Global Payments, information is finally coming to light as to the cause of the breach. Sadly, it seems that ineffective security around authentication was to blame this time. This is in-line with my post the other day about how internal security policies need to educate employees about why passwords and verifying content is so important to maintaining a strong security posture. Unfortunately, it looks like an employee was impersonated through authentication verification questions, giving the unauthorized user access to confidential information including several million credit card numbers. So how can this type of solution be avoided, and more importantly, what kind of cloud solutions exist to help with this challenge? Continue reading

Passwords are like underwear. You shouldn’t leave them out where people can see them. You should change them regularly. And you shouldn’t loan them out to strangers.

It’s funny when I see articles around security that focus on how Anti-Virus is the key to computer security. I know that yes, the risks from malware and virus-laden attachments are a pain in the butt for security professionals, and even regular computer users, but is A/V really the key to computer security? If you ask me, it’s really about education and process than anything. Continue reading

May the Odds be Ever in Your Favor.

It’s been awhile since I’ve written about security, but last week I came across a really great (but frightening) example of how security is affected with virtual environments. An organization who was running a virtual environment suddenly lost access to their entire infrastructure. It wasn’t a result of a badly configured virtual environment, it was arguably one of the first examples that I have come across of an attack against a virtual environment. I don’t know if it was intentional, but it’s a very interesting story of just how the threat landscape is adapting.

Essentially what happened was that the Windows server their virtual environment was running on had suffered a malware infection. The worst thing was that it was a known exploit, but hadn’t been patched. What the exploit did was cause the server to hit the network stack with enough traffic to cause a DDoS attack against the management console. This brought not just everything down, but rendered the environment unavailable.

Can you imagine if this type of vulnerability happens in production environment, such as in a financial or e-commerce organization? Aside from the financial ramifications of not being available to customers, but if you couldn’t recover any of your data? This type of attack could theoretically cause irreparable damage to a company.

I know the whole concept of securing virtual environments is a new thing. I work with several research groups within the Cloud Security Alliance so I am aware of just how little information there is out there as it relates to best practices. But when a real-world example of how these types of attacks are starting to affect virtual environments, it makes it clear just how important these conversations are.

Now I am not sure what happened to the organization who was the unfortunate victim of the attack. I hope that the fact that they figured out it was a network issue means that once the vulnerability is patched the VMs can be restarted. But I doubt that this is a rare and isolated example, which means that it is officially time for security and infrastructure folks to step up their game.

Danger Will Robinson! Danger!

Yesterday the latest security report from Verizon was released, with some much-expected statistics around hacktivism and security breaches. As it relates to cloud, the statistics are already hinting about where organizations need to focus.

Some of the key points are that internal breaches have been reduced significantly (hopefully through corporate security education), and physical attacks account for around 10% of all breached records.

But the really staggering statistic is around breaches themselves. 97% of them were avoidable had simple security measures been in place. 97 percent! 96% of the victims were required to comply with PCI DSS guidelines but sadly didn’t meet the requirements.

So what all this mean as it relates to cloud? It means that if breaches are still happening and that if requiring compliance to PCI isn’t stopping it, cloud isn’t going to help. As organizations start pushing content to the cloud, security will be even more important as hacktivists are scanning all web-facing content for potential victims. There is no longer a “we’re not big/important enough to be a victim” excuse. Cloud is going to make everything more available, and make security trickier to manage.

So what can organizations do to help reduce this risk? First thing is to make sure that you know where your data is. If you don’t know what you have, you don’t know what to protect.

Second, look for weaknesses in your security posture. There are so many great tools out there to help identify these, such as Qualys etc.

Third, if you have anything facing the web, invest in security. Web Application Firewalls (WAF), Cloud DDoS, and perimeter security tools. If you don’t have the internal expertise to manage these controls, look to service providers to manage it for you.

You can also look at migrating your important data to a cloud provider who meets the compliance requirements applicable to your organization. This saves you the headache of going through all the rigor of audits and remediation. Outsourcing is a great resource for this, and very cost effective for mid/small organizations who just want to focus on their business.

In 5 years I am sure this type of report is going to shift dramatically towards cloud attacks and mobile technology attacks. The best thing organizations can do is to use these as a guide to secure their environment, or reach out to someone who can offer security as a service.

To read the full report, visit www.infoworld.com

To ensure ongoing quality of service, your death may be monitored for training purposes. Thank you.

I was recently attending a cloud conference and had the chance to talk to several of the key technology vendors that were in attendance. One of the major vendors seems to be working closely with just about everyone in the cloud and virtualization space, and it made me question what kind of benefits to solution providers and other vendors these types of relationships provide. Suddenly the main cloud players are building partnerships to develop solutions for attached security, storage, asset management, performance monitoring and other operational technologies within virtual environments. But what benefit is there to have such tight integration with one or two key cloud platform vendors? Continue reading

My software never has bugs. It just develops random features.

I came across a great article from CSO Online that talked about how cloud has created a new movement called DevOps. Normally when you think about how cloud is affecting the way businesses operate from an IT perspective, the usual culprits at the centre are the security folks, and maybe the IT infrastructure guys. What we tend to forget is that these groups aren’t the only ones who are looking at how cloud can make business processes more nimble. The DevOps movement is showing organizations how changing the way they run development can lead to some astounding results. Continue reading

If at first you don’t succeed; call it version 1.0.

If someone asked you what the biggest problem with cloud is, how would you answer? Would it be security? Complexity? Personally, I think it comes down to the fact that cloud involves so many systems, data centres, networks, security controls that it’s almost impossible to create clear segmentations of where cloud environments begin and end. Cloud is a global entity made up of fenced-off clusters of information. Continue reading

Worst. Episode. Ever.

DLP is always a strange thing for me to talk about, since I remember the first round of solutions that ended up causing more headaches than solving the problem of data leakage. But with cloud, it’s all of a sudden a new conversation and DLP is right at the forefront in classifying the types of data that are the centre of the cloud design. All of a sudden DLP cannot be ignored anymore, it’s become a critical part of the new cloud landscape. Continue reading