Home > Blogs > VMware Security & Compliance Blog > Tag Archives: VMware

Tag Archives: VMware

Is “Mixed Mode” acceptable in a vSphere Enviroment?

Hola Security & Compliance Peeps,

My Nombre is George Gerchow, I am the Director of the VMware, Center for Policy & Compliance.  Our charter at CP&C is “simple”, like a Cowboy’s Fans knowledge of football: 

  •  1  -Support migration of highly regulated workloads to vSphere
  • Dos –  Provide coverage of most common regulatory, industry and vendor policies
  • C – Drive Industry Thought Leadership 

As a follow on from VMworld, we are going to extend the Management Mastery series to our Secura-Nerds and give you an opportunity to discuss relevant topics that are HUGE. Bottom Line, Security and Compliance are the main inhibitor to Virtualization & Cloud Computing. VMware and other vendors have solutions that are VIRTUALIZATION aware and attack these problems head on.

With all that being said, our first topic is Mixed Mode support for PCI environments. See Section 4.2 in the Vendor Information Supplement. 4.2 Strongly recommends that VMs of different security levels are not hosted on the same hypervisor or physical host.  The fear is that a less secure VM can be used to spawn off an attack on a more secure VM. 

It is my opinion that most people are not up to speed on Virtualization Security and Compliance Solutions. If you can prove that the systems in a mixed mode are not communicating, you should be golden. If your QSA does not agree, it might be time to get a new QSA. Jkjkjkjkj, not really but… Click the link below to see what we talked about at VMworld. I was misquoted in this article, Computer World and several others. (I NEVER said QSA’s were ten years behind J ) Seriously, I have some good friends that are QSA’s and they will also be tracking this blog to help answer questions. BTW: This got heated at VMworld during our trusted cloud session. 

Y'all are going to have to excuse my Grammar and Spelling errors. I am ESL and it comes out all the time. Happy Monday and give us a shout!



Analogies and The Principle of Least Privilege

Ana Seijas here — one of the newest members of the VMware Security & Compliance team.  So I've been doing security for a long time…started as an external systems auditor and then onto internal audit, consulting, training, CISO, but the one thing I've enjoyed the most was being a Systems Engineer.  So I've been an SE as they are most commonly known for a number of years and for several very large companies.   As SE's we play consultant, sales person, techy or plain listener for our customers…and with all of these hats the one thing in common is that we do a lot of presenting!  As soon as there's even just one person in the room, we're ready to present….be it a Powerpoint, whiteboard, or napkin!  So over the years I've taken many presentation classes….and although I've learned many cool techniques, the one thing that stands out and I try to do most of all is create analogies of technical stuff to real-world stuff.  Its how I can make people remember what this stuff really does!

So when I joined VMware a few months ago and was introduced to our vShield products, I knew that I would be presenting them soon enough. So as I learned the features, functions, and use cases…I started to think of the analogies…so here goes…

Customers secure their data and assets from all those bad guys out on the internet with firewalls, IPS, switches, routers, load balancers and whatever new technology they can find.  For the most part they've learned to build a very "hard shell" around the outside of their company.  In most cases its very hard to get inside a customer's network from the internet (although these days its seems like everybody is being hacked!)…for the most part that "hard shell" exists…but once I'm on the inside as an employee with access, its a "soft and chewy inside" and that's where the problems exist.  Its way too expensive ($$$, people, process and complexity) for a customer to completely isolate every application, group, line of business, or piece of data they have and so for the most part…access on the internal network allows me to probably see or poke around more than I need to.   Curiosity kills the cat or more likely leads to data leakage or stolen information.

VMware's vShield products can help customers maintain that "hard shell" around their virtual datacenters, but also provide "crunch for the soft and chewy inside"…its like sticking a pretzel in it!

Let me explain further!  vShield Edge is a stateful inspection firewall that can provide perimeter security for the virtual datacenter.  It provides the same guiding principles of firewalls but also includes site to site VPN and load balancing capabilities for securing your different tenants, companies, countries, lines of business, stores, offices, etc that exist in your virtual infrastructure.   Adding vShield App allows the customer to now define security groups inside of the virtual datacenter for different trust zones (i.e. PCI, DMZ, HIPAA, etc), applications (web servers, SAP, oracle, etc.) or groups (finance, HR, development, etc.) and define security rules based on their actual business needs as opposed to how the infrastructure or network was created and thus providing that crunch on the inside. 

With vShield App, organizations can become more secure by limiting the ability for the curious employee with "the roaming eyes" to access or see information that they don't need.  It’s the ability to apply the principle of least privilege in a logical manner at the network layer. 

So what is the principle of least privilege: As per PCMag's Encyclopedia – A basic principle in information security that holds that entities (people, processes, devices) should be assigned the fewest privileges consistent with their assigned duties and functions. For example, the restrictive "need-to-know" approach defines zero access by default and then opens security as required. All data in a corporate network would be off-limits except to specific people or groups based on Role Based Access Controls.

Now the principle of least privilege implies getting down to as granular access as possible so the vShield products only provide another layer of granular access control at the network and inter-vm traffic.  You still need to provide granularity using Role Based Access controls in vCenter, your network devices, at the guest OS and applications to name a few.

So if you're Security team is coming down on you to protect more and more of your data for PCI, HIPAA, or whatever the reason, show them how smart you are on security and tell them you're going to virtualize more so you can provide more access controls and enhance the principle of least privilege by using vShield!