When the only tool you have is a hammer, everything looks like a nail. That’s a tech industry cliche, but it’s certainly true in the security field.
Vendors presented what they claimed were innovative solutions at the NetEvents Cloud Innovation Summit in Saratoga, California, but all of them were remarkably similar to their existing security products. Appliance vendors suggested appliances, server vendors suggested server software, and so forth.
Fortunately, some new workable ideas also surfaced. One in particular is potentially standards-based and could actually work. Martin Casado, the inventor of OpenFlow, proposed an answer to cloud security that exists outside any individual server operating system.
Instead, it would reside in a separate layer, within, or perhaps virtually next to, the hypervisor. While Casado now works for VMware, he made it clear that such a security layer should exist with any hypervisor, not just VMware’s ESX products.
Casado, borrowing a concept from the Space Science Laboratory at the University of California, Berkeley and NASA, said that such a layer would effectively exist in the cloud’s “Goldilocks Zone.” He said that one problem with security systems that run as a guest process in a virtualised system is that once the operating system in that process is fully locked down, you lose visibility to network resources. But when you gain visibility, you lose security, he noted.
The Goldilocks Zone would be a place where both visibility and security are possible — in other words, a location that’s not too visible or not too inaccessible, but is just right. Such a layer in the hypervisor would work because it’s outside of any one virtualized server, but can observe server operations in detail.
As a spokesperson for VMware told me later, the first thing that malware invading a server tries to do is to block the operations of any anti-malware software. But since a process on a virtualised server has no way to reach the hypervisor, then the security layer that’s working with the hypervisor can take action to prevent damage.
The problem with this idea is that there’s currently no security layer in anybody’s hypervisor—whether it’s from VMware, Microsoft or anyone else. While the discussion from Casado suggests that VMware may be working on something, that’s an assumption that may or may not hold water.
The problem is that cloud security is an issue that needs to be dealt with now. Malware is everywhere. It’s getting worse on a daily basis, and the people who create malware are getting better at finding ways to insert it into machines, virtual or otherwise. As good an idea as Casado’s hypervisor security layer might be, the idea needs to be turned into a reliable product right now.
Unfortunately, network vendors don’t seem to have products that apply this concept. Ask the switch vendors what to do about malware passing through the network, and you get pointed to appliances, add-on switch software or some other partial solution. One network vendor (I can’t say which one because it’s under embargo) was excited about a piece of switch software that would look for unsafe URLs, but that’s it. It wouldn’t do a thing to defend against someone’s malware-tainted laptop that got connected to the network after it was infected.
The sad truth is that most of the cloud security systems out there are echoes of yesterday when malware came in the form of an easily detected virus and the biggest risk was a disgruntled employee. Of course, those risks still exist, but in the real world, the danger goes far beyond that.
Fortunately, some companies are at least working on solutions that resemble what Casado had in mind. Wedge Networks, for example, has introduced a hypervisor-based software solution called NFV-S (network function virtualization–security), which does very much what Casado had in mind, which is to provide a security layer outside the virtualised servers. While I can’t talk about the details of some new products Wedge is announcing in the future (because they wouldn’t tell me all their secrets for some reason), they are marketing their hypervisor-based solution to cloud providers.
Wedge says it is the first company to provide such a hypervisor-based solution. While this may be the case for now, it seems likely that virtualisation providers would be building such a security approach into their products. Microsoft, for example, could decide that an integrated, standards-based security layer could give Hyper-V a competitive edge over arch-rival VMware.
One can only hope that security becomes a competitive issue in the world of virtualised systems. If we have learned nothing else from decades of operating system development, it is that security as an afterthought doesn’t work. A system needs to be secure from the ground up, and perhaps competition is the best way to deliver that.
Originally published on eWeek.
Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…
Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…
Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…
Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…
Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…
Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…
View Comments
Smith vs Maryland destroys any reasonableness of Security associated with the cloud,
This is my email to a forensics professor and his reply:
To: Professor
I will ask a large favor of you and your time for I know the length of time it takes to research these 2 requests. 1) Please watch both of the videos included in this email. 2) I will return to my statement made in your class : There is no such thing as security, only the reasonableness of it. I will retract the latter end of my statement and say again: There is no such thing as security. These videos prove one thing we are on the verge of collapsing not only the world of IT, Computers, and Software, but our Legal and business environments as well. I will point out these grave facts revealed: 1) (This maybe the most damning of all) Smith vs Maryland states that any information given to a 3rd party vendors has no Legal expectation of Privacy, as revealed in the Twitter Case US Court of Appeals No. 11-5151, UNITED STATES OF AMERICA, Plaintiff-Appellee, v. JACOB APPELBAUM; ROP GONGGRIJP; BIRGITTA JONSDOTTIR, Defendants-Appellants, and TWITTER, INCORPORATED, Defendant and the Case of: FBI vs. LavaBit which both quote Smith vs Maryland, this is the destruction of the privacy of the cloud not only in principal by demonstration in court. 2). The revealing of the purposed weakening of the random generator for the secure keys as you will conclude is a breach of the very nature of our crypto from its inception. This amounts to Fraud under the US Statutory Law by definition. 3) It is further revealed in the videos that they are using IT management areas (in switches, routers and Computers) and backdoors of IT to gain access to firmware and BIOS and have breached the core of the Systems themselves and proven what I have been warning the IT field about for over 12 years about the problems concerning the Consortium that most every chip maker INTEL, AMD and almost every other IT manufacturer on the planet who wanted Government contracts to adhere to the prerequisites in architecture (most of which is done in Secret as you well know) for what is referred to as Trusted Computing but it amounted to much more that just that, what they needed from the Computer industry to meet their needs as you will ascertain from just evaluating these 2 simple videos, and there is much more if you examine all of the leaked information.
The final analysis is that those who were suppose to keep us all safe were nothing more that the criminals we were supposed to be protected from…
I will understand if you do nothing, say nothing, most people will be afraid of the implications and facts asserted here. All I ask is for is a response, If you say there is nothing you can do, I will accept that they have you as well, Remember Sir, This will be the downfall when they connect the dots, no one will be spared. The NSA and CIA and FBI will use this and not for the good there record stands in history for their abuse.
As a person in the IT field, I am not sure I can remain in the field. I cannot lie to those I am suppose to be protecting with the knowledge I now possess.
I will await your reply, please remember your students who rely on your creditability to make responsible decisions.
https://www.youtube.com/watch?v=dy3-QZLTpbQ Jacob Appelbaum Exposes NSA Tools Hacking Your Computer-Back Doors & Malware
https://www.youtube.com/watch?v=2qwhB-u7PiI Encryption vs. Survelillance – EuroParl Privacy Platform feat. Ladar Levision & Jacob Appelbaum
I will thank you ahead of time Professor, I know your time is precious, I almost did not send this email but if I did not I could not look myself in the mirror as some who just consider their paycheck or just a hazard of the career they are in . I am not just sending it to you, I will be writing others as well and in the end the Justice Dept and our Representatives and the general public most of them who have spent as much time in this career as I if not more and I thank those in the Legal field I studied under who gave insight into what is important in the IT field.
Sincerely,
Andrew J. Pallo III (Skip)
HIS REPLY:
Skip,
The problem is a lot bigger than your videos. There is good news and bad new though. The good news is the world is actively working to fix this issue sense the Snowden leaks. The bad news is there are people activity working to hide/shut it/us down. The best thing the good guys can do is continue to question authority, use better/new open source encryption and continue to change technology in OUR favor.