Saturday, October 12, 2013

Book:The Phoenix project

Sometimes you read a book and you recognize the problems described and the people involved. The Phoenix Project was such a book. I recognized many of the characters in the book as people I've been working with or even myself. The Phoenix Project do however bring something very valuable to this world and I frequently recommend people in relevant positions to go read it. I want them to understand what this devops thing is and how it can contribute in solving their biggest challenges. There are other books on the topic of devops too, but this book is a fictional book with a story which is both exciting, funny, touching and educating. It touches the very same problems that many IT departments/people face, and it also brings a suggested change in IT operations that can help getting IT running more smoothly. A change in methodology based upon the experiences done in some of the most influential IT organizations in the world today. 


One of the authors of this book (Gene Kim) was guest star in episode 111 of the Cloud Virtualization Security Roundtable podcast.

Cloud Virtualization Security Roundtable, episode 111


Update: I've met Gene Kim at the ITSMF conference and he is in the process of writing a new book that I will soon be getting access to one of the early drafts.


NIST Cloud Computing Security Reference Architecture

A couple of years ago NIST released the first edition of  Cloud Computing Reference Architecture, but this summer they released a draft document with focus on cloud securityCloud Computing Security Reference Architecture(SP 500-299).

Due to the shutdown of the US government this document seems to be unavailable from the NIST site at the moment, but they will hopefully soon restart again in safe mode.



Cloud Virtualization Security Roundtable




http://www.virtualizationpractice.com/resources/virtualization-security-podcast/
http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=34217&cmd=t

Sunday, May 19, 2013

Episode 105: VirtuStream

This episode's guest is Pete Nicoletti from VirtuStream. VirtuStream is a cloud solution provider with a strong focus on security and they are hosting some major customers.

One of the topics that are being discussed in episode 105 is the use of TXT technology in cloud solutions. Currently it's not possible to enable TXT across all cloud solutions because it depends on what hardware the cloud providers are using. Providers using white boxes can not support TXT as it is available in enterprise solutions.

In a cloud solution tenant specific logging is very important and a standard is still missing even though there is some work underway.

In addition to various hardening guides there is also an application called Onapsis that can check if you have setup your system in a secure way. It's an application specific security scanner.

Hosting different customers on the same platform can be a risk and most cloud providers have no evaluation on which customers should be allowed to run on the same hardware (or at all).

PCI-DSS is also something you must have in mind. Many PCI auditors may scratch their head when they come across a virtualized solution. Even though there is a virtualization special interest group for auditors, such auditors are hard to find.

Texiwill has written a bit here on How VirtuStream does Cloud Security and the podcast is available below.

Audio: Cloud Virtualization Security Roundtable, episode 105
http://www.virtualizationpractice.com/resources/virtualization-security-podcast/
http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=34217&cmd=t

Tuesday, May 7, 2013

Human technology roadblocks

Often new proposals and projects are stopped due to the lack of knowledge of others.

The security team can stop many good projects such as those involving virtualization because they don't have enough knowledge and are skeptical to new types of services that they don't have experience with.

Mrs Y once worked at a company and the networking department was skeptical to running virtualized networks. They were asking about latency and other issues that may have been a problem many years ago.

Some people are skeptical regarding VLANs. Texiwill too. That includes VXLAN and other similar technologies.

It has been said that it's a struggle for people to separate the logical from the physical. For the longest time it has been the same thing and now it's suddenly different. Both people, companies, ISVs and hardware vendors are confused by these changes and many of them will try to block these new inventions in favor of the old ones.


All this and more in episode 104.


Driving from Lycia to Fethiye.

Audio: Cloud Virtualization Security Roundtable, episode 104
http://www.virtualizationpractice.com/resources/virtualization-security-podcast/
http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=34217&cmd=t

Saturday, May 4, 2013

Boat trip

Last week I attended a boat trip from Dalyan to Iztuzu Beach. On this same truo we also attended a mud bath and turtle safari. There were one turtle near our boat for a short moment, but I didn't see it with my own eyes since it was at the front of our boat and I was sitting in the back. The beach was great and I wish we could have stayed there longer.


Thursday, March 21, 2013

Cloud Views

Special guest on episode 103 was Andi Mann.

Cloud View started out as a news letter. Later it moved to twitter as #cloudview with cloud security as the topic. Cloud View is hosted on http://smartenterpriseexchange.com and they have a dozen episodes available on YouTube.

Where is the firewall in a cloud environment?

Earlier you knew from where people were accessing your data since nobody outside your firewall had access. Nowadays you need to know who is accessing your data because access is not restricted by network segments anymore.

We have several layers of identity:
  • username/password
  • 2 factor
  • multiple factors
After all the breaks ins at major sites (PSN, iCkiud9,) Many think that username is not good enough anymore, but it's still the only credentials you need for 99% of the web servers on the internet.

Who is responsible for security?
- Everybody?
- The board?

News from the RSA conference.


Audio: Cloud Virtualization Security Roundtable, episode 103
http://www.virtualizationpractice.com/resources/virtualization-security-podcast/
http://www.talkshoe.com/talkshoe/web/talkCast.jsp?masterId=34217&cmd=t