Greetings, my friend. We are all interested in the future, for that is where you and I are going to spend the rest of our lives. And remember my friend, future events such as these will affect you in the future.

As someone who spends a lot of time perusing both Reddit and the now sadly defunct Google Reader (RIP!), I’m not personally surprised to start seeing a lot of discussions around whether corporations who outsource cloud storage or other services to third parties should be worried about privacy risks.

For example, an article this morning from the folks over at ZD brings up some great points about both the pros and cons about the great cloud race and how it could ultimately affect how data ownership is perceived. Continue reading

Looks like you’ve been missing a lot of work lately. I wouldn’t say I’ve been *missing* it, Bob.

Yes, before you start to wonder what ever happened with Tinder Stratus, I’ve been enjoying some well-deserved downtime. I’m going to be cutting down the blog to write as much as I can, but as cloud starts to ramp up in Canada, I am going to be working on a few other side projects. It’s been awhile since I’ve posted, and since it’s Tuesday, I am happy to get back into the swing of things with a quick update from a security company that I first came across years ago, and are still creating some great solutions, especially now for the virtualization space.

Tripwire’s ConfigCheck is a great (and free!) utility that helps organizations get a quick picture of how secure their VMware ESX 3.0/3.5 hypervisor is by measuring it against the VMware Infrastructure 3 Security Hardening guidelines. While there are some other tools that do similar types of verification, I like that Tripwire not only identifies the vulnerabilities, but since it was designed from the ground up with VMware, it provides the steps towards full remediation of the vulnerabililities.

But why is something like this so critical? Well, as organizations struggle to identify security deficiencies within their virtual environments, tools like this make it a lot easier by giving a standard baseline for which to start. While it’s not a replacement for having experienced security folks, it’s a great solution for midmarket or other organizations who don’t have such luxury.

Aside from discovering vulnerabilities, ConfigCheck helps organizations deploy virtualization in a manner that is safe and secure, increase the security posture of the entire organization, reduce configuration drift and easily implement security and compliance best practices. It’s a cheat sheet if you will, to help identify and manage vulnerabilities in your virtual environment.

Michael, I did nothing. I did absolutely nothing, and it was everything that I thought it could be.

It seems like the in the last few years, every single service provider has been scratching their head and thinking “how do we sell to the SMBs?”. I’m not talking just cloud providers, but most businesses in general. Part of it is that in Canada, while there are some significantly large enterprises, the majority of organizations fit into the traditional SMB definition. But the question is, will cloud help us finally get enterprise-class solutions to those customers? Continue reading

Come on, you scuzzy data, be in there. Come on.

I wrote a few weeks back about the theme of Big Data and organizations such as EMC’s GreenPlum and Apache’s Hadoop ushering the way for the application of large data in cloud environments. It reminds me about the debate years ago on whether we would ever see a paperless society, which we realized sadly isn’t going to happen. Data just seems to compound and we cannot begin to imagine how the rates of data usage and creation will increase.

But in order to embrace big data, we need to figure out the barriers to adoption. David Asprey, a regular on the cloud expo circuit, notes that there are 2 key elements missing in the log management space right now: real scalability and security. Continue reading

After very careful consideration, sir, I’ve come to the conclusion that your new defense system sucks.

With Friday upon us, it’s the last part of virtualization and PCI. So as promise, I am going to dedicate this last post to giving a final round up on key things that you should hopefully start doing (or at least discussing internally) if you plan on moving down the path to compliance. I can’t promise it won’t be painful, but if you keep these things in mind from the beginning, it will be slightly less intrusive than it could be. Continue reading

Oooh, ahhh, that’s how it always starts. Then later there’s running and screaming.

Today I want to get back to the matter at hand, how to deal with PCI if you have a virtual environment. Because PCI DSS is one of the first glimpses Canadian organizations have into the need to secure their virtual environments, the learning curve for both auditors and IT teams is staggering. There is a lot of grey space at the moment where interpretation of the requirements can have a significant impact on the end result, and often it is a result of auditors walking into mixed environments where virtual and physical resources co-exist and they realize they are in over their heads. In fact, something that seems initially simple, such as the separation of trust zones, can actually be quite complex to not only understand, but to figure out how to comply with. But where to start? Continue reading

Nothing shocks me–I’m a scientist!

I received a few emails looking for more information on how to start mapping their virtual and cloud environments to different compliance standards without starting to invest in security solutions. A free check-up if you will. Since this falls right in line with what I am hoping to get virtualization folks to start thinking about, you can think of this as a modification of Technology Tuesday, let’s call it Woohoo! Wednesday. The key is that it is indeed worthy of that exclamation mark because this compliance tool is not only free, but if you’re running a VMware environment, you probably have it already, you just don’t know it. Continue reading