Category: RSA

May 07

There’s no silver bullet

I’m frequently asked about virtualization and cloud security. Usually it starts with a phone call from a sales guy asking “How do I secure the Vblock?” or “What can we sell to secure VMware?” I usually counter these statement with “Tell me the problem you’re trying to solve”.

Once I know what’s actually being asked, I’m usually left having to break the news. There’s no silver bullet. I can’t send you a USB key with the “Secure the Vblock” app on it so you can plug it in and “make it secure”. <\bubble burst>

“But why not Mike?” It’s because there’s just too many moving pieces and too many definitions of what “secure” means. Let’s break that down a bit.

How many moving pieces? Tons. When you think of all the settings you can change that could possibly impact security, it starts to boggle the mind. I’m reminded of two things. “The Butterfly Effect” where one change in a nonlinear system can radically change the outcome and the Mandlebrot fractals, where changing one variable can change the image displayed.

What’s your definition of “secure”? Everything encrypted? All I need is vShield? Twelve character passwords? Logging everything to a SIEM? Updating patches?

The list goes on. (and on…)

With virtualization, we’re putting a huge responsibility on the infrastructure to be secure. Unfortunately, some still treat it as an application and forego things like design. Security is still a “bolted on” construct. IT and Security are still not working together.

Because of the complexity, we need to use more tools. We need to automate and be able to work at scale. IMHO, “Cloud” is not about IaaS, PaaS, SaaS or any of the other *aaS’s. Cloud is about Scale. That means security needs to be able to scale. That means we CAN’T keep doing things the way we always have. (a better excuse for an audit I have not found!)

Some of these tools, performance monitoring, patching, updating, logging, you will find in the quiver of the IT professional.. All tools that the Security Professional should be getting a feed from and understanding how to apply that feed to security.

Hopefully, in the not too distant future, we can provide the ability to make better sense of that data in real time to help better secure the virtual environment. You can start today with using that data to ensure that compliance and visibility requirements are met. If you want a silver bullet, that’s a good place to start!

Mar 26

Best retail experience…ever

Hi all,

Just a quick posting on my latest trip to the Apple Store. I got to work today and realized that I had left the power adapter for my Macbook Air at home. Well, I live 50 miles from my office so I’m not about to hop in the car and make another 2+ hour round trip. Fortunately, there’s an Apple store less than 4 miles away at the Burlington Mall so I headed over there.

Apple Store, Burlington

It was about 9:15am when I got there. People were inside, learning how to use their new iDevices by the friendly store employees. One of the sales folks came to the door and asked

“Can I help you?”

“Yea, I need to buy a power adapter for a Macbook Air”

“I’m sorry, we don’t open until 10am. Thanks!”

Great. So I stood there and wondered to myself if I should wait until 10am or not. Then I noticed another sales guy, Mike L., coming to the door.

“Can I help you?”

“Yea, I left my power adapter at home for my Macbook Air”

“I’m sorry, but our registered don’t even open until 10am”

“Damn. I’ve got work to do. Any chance I can buy it using my phone?”

“Let me ask the manager”

So, Mike L. went off to the back room and came out and grabbed a box off the shelf. He came to the door and motioned me inside.

“Do you have have an iPhone?”

Showed him my iPhone and said “Of course”

“Great, do you have the Apple Store app?”

“Yup”

“Great, bring that up” He then showed me how to bring up the scanner. The app knew I was in the Burlington store and offered me the option of “Easy Pay”. I scanned the barcode, entered my iTunes password and my CVC code and I was good to go. Seconds later, I had the receipt in my Inbox. I thanked Mike profusely and got his name and told him I was sending an email to Tim Cook.

THIS is how retail should work. Happy customers are returning customers and going the extra mile pays off in spades. Mike L. could have been just like the first young lady. “Oh, sorry!” But he saw a frustrated potential customer and asked his boss if there was something that could be done. It didn’t take a huge amount of effort. He has probably forgotten it by this time.

But I haven’t.

 

mike

Feb 11

Securing Virtual Desktops with Brian Gracely & TheCloudcast.Net

On Thursday, Feb 9th, I drove from RSA HQ in Bedford, MA to EMC HQ in Hopkinton to spend some time with Brian Gracely (Twitter:@bgracely)and do a podcast and whiteboard session on security and virtual desktops.

Brian is the Director of Technology Solutions and Strategy at EMC and one of the co-hosts of TheCloudcast.(NET) along with Aaron Delp. (Twitter:@aarondelp) If you haven’t heard of The Cloudcast you’ve been missing out! It’s a wealth of knowledge sharing with some of the real leaders in the virtualization and cloud space.

This was my second time on The Cloudcast. My first time was as part of a panel at VMworld 2011 where I discussed vCloud and security with Brian, Aaron and VMware’s Chris Colotti, (Twitter:@ccolotti) a vCloud rockstar.

I really enjoy these social media opportunities! I like sharing knowledge but more than that, I like hanging out with people smarter than me. It really raises my game and gets the creative juices flowing!

Out of discussions like this I’ve come up with novel ways to solve problems, opened my eyes to a different way of thinking and even came up with a patent application that I’m hoping to be able to talk about soon.

In our discussion, Brian and I built upon some of the points I made in a previous blog posting on Virtual Desktops and Security. Take a moment to read that and then listen to the audio and check out the video whiteboard.

So, without further adieu, I’d like to redirect you over to our podcast and video on Securing Virtual Desktops and my thoughts on Bring Your Own Device (BYOD).

Securing Virtual Desktops TheCloudcast.(NET)

I hope you enjoy it as much as we did making it and that it helps you in your virtual desktop strategy. If you have questions, reach me on Twitter or send me an email.

Thanks!

mike
@mikefoley