We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Business-Driven Architect

Brenda Michelson

Cloud Slam: Michael Berman, Catbird Networks, Security in Virtual Data Center

user-pic
Vote 0 Votes

Session abstract:

“You are on cloud 9. You are ready to go lights-on in your new virtual data center. But wait: virtualization changes everything when it comes to security. Some gaps are obvious, such as the elimination of separation of duties, or the lack of visibility into the virtual network. Some issues are more subtle, such as temporal attacks against crypto. This talk will describe what gaps are introduced in the move from physical to virtual specifically where security is concerned, and prescribe specific steps to ensure security and compliance for production deployments.

Specific topics to be covered include:
• Recommend strategies for updating in-house security and compliance best-practices guides to incorporate and protect virtual infrastructure.
• An analysis of the new virtualization threat surface and what new policies should be introduced to prevent, detect and control risks and violations.
• Configuration of the virtual network for security and visibility, even over Vmotion and over VMware port groups.
• Enforcement of separation of duties, least privilege and change management in the virtual data center (currently not part of most virtualization platforms).
• Examination of the risks of VM Sprawl and establishment of programs and policies for managing this risk.
• How you can guarantee your cloud implementation is even more secure than your pre-cloud analogue.?

Michael Berman is CTO of Catbird Networks, a provider of security virtualization solutions to cloud computing operators.

Berman starts by discussing cloud computing taxonomies and the notion that cloud computing is enabled by virtualization.  Points out the Jericho Forum Cube model, which according to the Jericho Forum cloud cube model paper (pdf):

“The Jericho Forum’s objectives related to cloud computing are distinctive – enabling secure collaboration in the appropriate cloud formations best suited to the business needs.
With this in mind, the aim of this paper is to:
- point out that not everything is best implemented in clouds; it may be best to operate some business functions using a traditional non-cloud approach
- explain the different cloud formations that the Jericho Forum has identified
- describe key characteristics, benefits and risks of each cloud formation
- provide a framework for exploring in more detail the nature of different cloud formations and the issues that need answering to make them safe and secure places to work in.?

Four dimensions of Jericho Cube Model: External/Internal, Proprietary/Open, Perimeterised/De-perimeterised, Outsourced/Insourced

Common Cloud Computing Security mistakes:

- not worried about data, because not putting sensitive data

>>cloud provides a new vector for phishing and harvesting of user credentials

- my host based security will protect me

>>fails to protect virtualized networks and virtualized storage

- my provider is more secure than I am

>>they are also juicier targets (examples: Fiserv, iPower)

- There are no cloud exploits, why should I care

>>unprotected data and weak controls increases risks from DOS, abuse of privilege, and theft; Berman warns that just because it hasn’t rained, doesn’t mean it won’t rain

Berman pointed out several cloud infrastructure security challenges, including reduced visibility, multi-tenancy risks, dynamic, rapidly changing nature, and that in a hypervisor environment, the administration has access to all resources in the cloud.  

In respect to virtualization, Berman shared the following slide of increased IT risks:

In speaking to cloud risks and controls, Berman shared several tidbits, including:

- know where your data is – geographic location – and make sure that country’s data breach reporting laws meet your requirements (risk and compliance)

- understand that if you have email in the cloud, you have trade secrets in the cloud

- make sure there is DLP (data leak prevention) and IDP (intrusion defense protection)

- cloud providers, because of economy of scale, can do a better job than organizations on security & compliance

- “Trust the cloud, but verify?; Ask your cloud provider how they measure up to COBIT, ITIL & ISO 27000

Berman emphasizes the importance of putting in place compensating controls and virtualized security.  This virtualized security concept is the focus of Berman’s talk.  With virtualized security, you are essentially embedding or attaching security policies to your deployment, via metadata.  With a virtualized security implementation, you won’t get locked into a cloud computing provider due to the security implementation.  (Other aspects might lock you in, but that’s a different story).

According to Berman, all cloud computing providers must have the capability to enforce the controls you specify via the metadata.  Those providers should also provide reports on how the security policies were stressed and enforced.  As a result, you might want to change your security specifications (metadata).

Here are a few of Berman’s slides related to virtualized security:

 

In closing, Berman shared a list of capabilities cloud tenants should demand of providers:

- Policies for service delivery, access control, integrity management and data protection

- Continuous auditing and assurance of controls

- Access to security management console: alerts, event management and reports

- Capability to modify security policies for your VM containers

 

And, a list of (must do) requirements for cloud providers:

- deploy multi-tenant security management

- protect tenants from threats:

>> DOS

>> Abuse of privilege

>> escalation of privilege (from other tenants)

>> mobile code

>> pharming/phishing and identity theft

>> data theft

And of course, solutions do exist today, Catbird Networks (amongst others) supplies virtualized security solutions to cloud providers.

Brenda Michelson, Principal of Elemental Links, shares her view on architectural strategies, technology trends, business, and relevance.

Brenda Michelson

Brenda Michelson is the principal of Elemental Links an advisory & consulting practice focused on business-technology capabilities that increase business visibility and responsiveness. Follow Brenda on Twitter.

Subscribe

BDA Feed
BDA Comments Feed


Enter your email address:

Delivered by FeedBurner

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT