Episode 3
From AstroArch
Virtualization Security Round Table Podcast Episode 2 show notes
Go to Talkshoe to download or listen to the podcast. Soon to be available also on iTunes.
Our guest panelist was Christopher Kusek. Thank you for joining us Christopher.
The podcast started of with each panelist answering the following question, which lead to a short but lively discussion. When someone says 'storagesecurity' what is your immediate thought or response? The answers ranged from hysterical laughter to a request for quite a bit more information. What exactly are you trying to secure.
Our discussion covered two basic concepts. Data at Rest and Data in Motion.
- Data at Rest - Current state of the art is encryption on the array. Either based on TPM style devices or some certificate using PKI. We briefly chatted about encrypted drive use, but we mainly talked about encryption on the array itself. This led us to the Brocade device that will encrypt data on disk but is inline with the fibre cables. Encryption requires good key management which is often hard to do. Hoff went further to discuss an appliance being worked on that would tie individual certificates to specific data on a storage array (SAN/NAS). Which is a very difficult process as everything has its own encryption.
- Data in motion - Encryption was once more the talk of how to secure Data in motion or data on the wire. We discussed the use of data islands (data only networks and separate for each type of data), data comingling on storage as well as over networking. We went through each storage method:
- FC - Encryption using Brocade device or nothing, need something at the endpoint.
- iSCSI - IPSec (VMware ESX/ESXi does not support) also way too slow.
- NFS/CIFS - Nothing built in. IP Level security
- FCoE - Coming with encryption from card to switch and perhaps further, nothing yet.
The future looks very bright but for now, segregating storage is still the best approach. We did discuss VLANs but that we will hold off until another time.
Last comments were about thoughts on Storage Security and a question for a future podcast. How do you protect against re-purposed hardware from being able to access storage for one purpose and not available for another purpose? I.e. host is ESXi with access to VM data, and now host is a Web Server.
Panelist BIOs
- Christopher Kusek has over 18 years of experience in the technology industry. For the last 14 years he has worked as a consultant providing solutions to thousands of companies. He is known for innovative ideas and community dedication which led him to found the Chicago Windows Users Group. CWUG, now in its 6th year, is a technical community serving over 2,400 individuals with Christopher as vice-chair , frequent presenter, and keynote speaker. Christopher continually looks for ways to contribute back to the community through public speaking, blogging , mentorship, and continuing education in technology. He has received many awards and technical certifications including: CISSP, MCSE, MCITP, NACE, NCIE and NCSA.
- Michael Berman is the CTO of Catbird, with over 20 years experience in system engineering, architecture, design and implementation of secure computing. Michael's experience includes implementation of C2 UNIX; Fortune 100 enterprise security; and expert support in the prosecution of computer crimes. He is a member of the Electronic Crimes Task Force and High-Tech Crime Investigation Association and a Certified Information Security Systems Professional (CISSP). Michael is a frequent speaker on the topic of virtualization and security.
- Chris Hoff is Unisys Corporation’s Systems & Technology division chief security architect. Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy and led the security engineering team of one of the first global managed network security service providers. Hoff is a prolific blogger and sought after speaker at leading security conferences.
- Iben Rodriguez is an Infrastructure Consulting Professional with over 20 years experience working in complex IT environments. Iben has an extensive knowledge of VMware-specific environments having spent 2 years working for VMware in various roles. Iben has led and delivered very complex projects for Fortune 500 companies, including Switzerland based pharmaceutical companies, one of the world's largest online auction companies and a large city government in southern California. Iben is considered one of the foremost industry experts in VMware-based security and infrastructure design.
- Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers. Haletky owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development. Haletky is also a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions, prolific blogger, and is working on new books on Virtualization.
Podcast audio improvements by Tim Pierson of DataSentry, Inc.
