As someone who spends a lot of time perusing both Reddit and the now sadly defunct Google Reader (RIP!), I’m not personally surprised to start seeing a lot of discussions around whether corporations who outsource cloud storage or other services to third parties should be worried about privacy risks.
For example, an article this morning from the folks over at ZD brings up some great points about both the pros and cons about the great cloud race and how it could ultimately affect how data ownership is perceived. Continue reading
Yes, before you start to wonder what ever happened with Tinder Stratus, I’ve been enjoying some well-deserved downtime. I’m going to be cutting down the blog to write as much as I can, but as cloud starts to ramp up in Canada, I am going to be working on a few other side projects. It’s been awhile since I’ve posted, and since it’s Tuesday, I am happy to get back into the swing of things with a quick update from a security company that I first came across years ago, and are still creating some great solutions, especially now for the virtualization space.
Tripwire’s ConfigCheck is a great (and free!) utility that helps organizations get a quick picture of how secure their VMware ESX 3.0/3.5 hypervisor is by measuring it against the VMware Infrastructure 3 Security Hardening guidelines. While there are some other tools that do similar types of verification, I like that Tripwire not only identifies the vulnerabilities, but since it was designed from the ground up with VMware, it provides the steps towards full remediation of the vulnerabililities.
But why is something like this so critical? Well, as organizations struggle to identify security deficiencies within their virtual environments, tools like this make it a lot easier by giving a standard baseline for which to start. While it’s not a replacement for having experienced security folks, it’s a great solution for midmarket or other organizations who don’t have such luxury.
Aside from discovering vulnerabilities, ConfigCheck helps organizations deploy virtualization in a manner that is safe and secure, increase the security posture of the entire organization, reduce configuration drift and easily implement security and compliance best practices. It’s a cheat sheet if you will, to help identify and manage vulnerabilities in your virtual environment.
It seems like the in the last few years, every single service provider has been scratching their head and thinking “how do we sell to the SMBs?”. I’m not talking just cloud providers, but most businesses in general. Part of it is that in Canada, while there are some significantly large enterprises, the majority of organizations fit into the traditional SMB definition. But the question is, will cloud help us finally get enterprise-class solutions to those customers? Continue reading
I wrote a few weeks back about the theme of Big Data and organizations such as EMC’s GreenPlum and Apache’s Hadoop ushering the way for the application of large data in cloud environments. It reminds me about the debate years ago on whether we would ever see a paperless society, which we realized sadly isn’t going to happen. Data just seems to compound and we cannot begin to imagine how the rates of data usage and creation will increase.
But in order to embrace big data, we need to figure out the barriers to adoption. David Asprey, a regular on the cloud expo circuit, notes that there are 2 key elements missing in the log management space right now: real scalability and security. Continue reading
With Friday upon us, it’s the last part of virtualization and PCI. So as promise, I am going to dedicate this last post to giving a final round up on key things that you should hopefully start doing (or at least discussing internally) if you plan on moving down the path to compliance. I can’t promise it won’t be painful, but if you keep these things in mind from the beginning, it will be slightly less intrusive than it could be. Continue reading
Today I want to get back to the matter at hand, how to deal with PCI if you have a virtual environment. Because PCI DSS is one of the first glimpses Canadian organizations have into the need to secure their virtual environments, the learning curve for both auditors and IT teams is staggering. There is a lot of grey space at the moment where interpretation of the requirements can have a significant impact on the end result, and often it is a result of auditors walking into mixed environments where virtual and physical resources co-exist and they realize they are in over their heads. In fact, something that seems initially simple, such as the separation of trust zones, can actually be quite complex to not only understand, but to figure out how to comply with. But where to start? Continue reading
I received a few emails looking for more information on how to start mapping their virtual and cloud environments to different compliance standards without starting to invest in security solutions. A free check-up if you will. Since this falls right in line with what I am hoping to get virtualization folks to start thinking about, you can think of this as a modification of Technology Tuesday, let’s call it Woohoo! Wednesday. The key is that it is indeed worthy of that exclamation mark because this compliance tool is not only free, but if you’re running a VMware environment, you probably have it already, you just don’t know it. Continue reading
So it’s Tuesday, and keeping in our theme of “Compliance: things that keep me up at night”, I am happy to highlight a great company that sadly not a lot of people outside us die-hard virtualization security fans know about, Catbird Networks. When it comes to compliance, Catbird is a pretty good place to start, and makes it really quite easy to get an ongoing idea of where your environment stands as it relates to compliance requirements. This is important, because the earlier you can start to see how your environment is shaping up in meeting compliance requirements, the easier it is down the road to ensure that as new systems are deployed, they don’t negatively affect your compliance posture. Continue reading
One of the biggest questions on the minds of security folks when they start to add virtual components to their environments is “How do I even know where I stand as it relates to compliance?”. It’s a great question, as cloud and virtualization, until now, have blissfully been ignored from a compliance requirement. Until now that is, as PCI-DSS got a refresh back in November of 2010 that does include lots of verbiage around the requirements of securing virtual environments in order to meet the benchmarks of PCI. I want to spend some time this week addressing compliance and how virtualization fits in, primarily as it relates to PCI because of the familiarity with what PCI aims to accomplish, but also some of the tools and resources available. So today I want to highlight the key areas affected by PCI and what exactly is required to start down the road to full compliance. Continue reading