Home > Blogs > VMware Security & Compliance Blog > Monthly Archives: March 2014

Monthly Archives: March 2014

Security Updates in vSphere 5.5 Update 1 + Hardening Guide news

5.5 Update 1 Release Notes

vSphere 5.5 Update 1 was released on March 11th, 2014. The primary drivers for this release were lots of bug fixes and support for VSAN. At the risk of duplicating a huge amount of the release notes, please review in detail those things that are important to you. There’s a number of things in Upgrade and Installation and there’s a specific Security section that would be of interest. Also review the Known Issues section as there’s some interesting tidbits in there as well.

5.5 Hardening Guide Update

I will be releasing an update to the vSphere Hardening Guide to go along with 5.5 Update 1 in the next couple of weeks. I’ve been collecting updates since it was released shortly after 5.5. No MAJOR changes, just minor fixes and a couple of clarifications and at least one deletion. More on this soon. I know it’s a hot button for some folks.

If there’s something YOU think needs to be corrected, now is the time to let me know!

Get in touch as a reply to this blog or preferably an email to me. I’m mfoley at VMware.com.

Thanks,

mike

VMware Security & Compliance – “News Team Assemble!”

Hola Peeps!
That’s right Ron Burgundy fans, news Team Assemble! http://www.youtube.com/watch?v=MPpiCdt5aC8
 
It is great to be back at VMware and sharing with all of you once again after a wonderful year at EMC where I was rollin with the Elite – Cloud Business Director Team.
My new role, Cloud Management Security & Compliance Evangelist. What have I been doing? Getting the Wolf Pack back together in a HUGE way at VMware with some key new additions like Tom Corn and my long time friend & colleague Dr. Dennis Moreau.
The gang is working on amazing projects like the planets first PCI Validated Cloud using OpenStack and NSX! Of course we are enlisting a little help from our fiends at Coalfire , VMware CP&C & Rich Rees. The risk and cost could be high, but we will do our best to prove it out. BTW: CP&C is still delivering great content including PCI 3.0, HIPAA and FedRamp. The team is also working on updated integrated solutions for vCOPS (vCM) and Archer (GRC).
For those of you who did not have the opportunity to attend RSA 2k14 you missed out! There were over 20k folks in attendance and the amount of new startups in the cloud space had the expo floor hyped up. (Not mention the fact that a vendor had a FULL BLOWN boxing ring with 2 pro fighters entertaining the blood thirsty crowd! I Also have to mention strong representation from BeyondTrust, HyTrust and CipherCloud)
The VMware booth also had a ton of great traffic and for ONCE, people were not asking questions like “What are you doing at RSA?”. This year it was all about our solutions like LogInsight, NSX, vCM aka vCOPS and the tremendous partner ecosystem we have put together over the last few years.
In closing, let’s turn the focus to Data Protection and how it is going to work moving forward in the cloud. We are starting to see a lot of companies wanting to hop on this bandwagon without really thinking it through or consulting their security & compliance team. The insider threat issue within a private cloud continues to be in the news and could either open the door for a provider to take over sensitive data or give the CISO more power and funding for protecting IP & keeping mission critical workloads on Prem.  BTW: The CIO is also paying the price, not just the CISO. http://www.washingtonpost.com/business/economy/targets-chief-information-officer-is-stepping-down-in-wake-of-data-breach/2014/03/05/391be810-a479-11e3-8466-d34c451760b9_story.html
The CIA has made a bet on AWS, we will see how it pans out over time. Here are two points of view, one is a love fest between the two parties, the other a 3rd party opinion on privacy & potential stumbling blocks. http://www.computerworld.com/s/article/9246814/U.S._spy_agencies_adopt_new_IT_approach  http://www.huffingtonpost.com/norman-solomon/why-amazons-collaboration_b_4824854.html
It would be great to hear your opinion as we continue to ramp up our private, hybrid and public cloud offerings. Check out our latest announcement as we announce vCloud Government Service for U.S. Public Sector.  http://blogs.vmware.com/vmware/2014/03/fastest-path-cloud-vmware-announces-vcloud-government-service-u-s-public-sector.html

Jump in the discussion on any of our social media channels – blogs, Twitter, Facebook, or community forum:

Cambio y Fuera!
George Gerchow
VMware Cloud Management Solutions Evangelist Security & Compliance – CISSP, ITIL, CCNA, MCPS, SCP

New VMware Security Advisory VMSA-2014-0002

Today VMware has released the following new security advisory:

VMSA-2014-0002

Among the fixed issues is CVE-2013-5211 “DDoS vulnerability in NTP third party library”. VMware Knowledge Base article 2070193 provides mitigation for this issue and documents when vSphere components are affected.

Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.

Customers should review the security advisory and direct any questions to VMware Support.