Tag: Security

BTOGG – Google Glass and future security implications

While working on some other things yesterday, I had the live feed from Google I/O running. I have to say that Google is catching up and possibly surpassing Apple in coolness. They certainly took many presentations tips from Apple! Up to and including the Jobsian “…and that was <feature>”

One of the coolest thing was Google Glass.

This is a set of eyeglasses with a built-in camera and display. It was introduced by Google by skydivers wearing the glasses and parachuting onto the Moscone Center roof!

Even though I’m an IT guy at heart, living here at RSA for the past 7 years has made me somewhat paranoid about data sensitivity. When I saw how Google Glass was capturing EVERYTHING, my first thought (after “WANT!”) was “What if I was streaming my Glass feed via a MiFi?”

That lead to the paranoia kicking in. What if I was doing that in work? And what if my work has me dealing with sensitive information or even just internal use only emails? And I forgot to turn off the live feed to my blog/website/Twitter/Facebook?

As you can now imagine, the security implications start to boggle the mind. I wish I had an answer for this. Will the BYOD Generation listen to the Graybeards when told “You can’t bring them in here? Oh, and no MiFi too!”? Do they now? No.

By the way, I think I’m a BYOD/Graybeard mashup. (as I type this from my personal Mac at work)

So, I think that right now, probably the best thing is to discuss. Consider the implications, don’t over-react and understand the tradeoffs. Just like when cameras first showed up on cell phones and the first corporate systems connected to the ARPANET, interesting and enabling technologies don’t need to be feared, just understood.

mike

There’s no silver bullet

I’m frequently asked about virtualization and cloud security. Usually it starts with a phone call from a sales guy asking “How do I secure the Vblock?” or “What can we sell to secure VMware?” I usually counter these statement with “Tell me the problem you’re trying to solve”.

Once I know what’s actually being asked, I’m usually left having to break the news. There’s no silver bullet. I can’t send you a USB key with the “Secure the Vblock” app on it so you can plug it in and “make it secure”. <\bubble burst>

“But why not Mike?” It’s because there’s just too many moving pieces and too many definitions of what “secure” means. Let’s break that down a bit.

How many moving pieces? Tons. When you think of all the settings you can change that could possibly impact security, it starts to boggle the mind. I’m reminded of two things. “The Butterfly Effect” where one change in a nonlinear system can radically change the outcome and the Mandlebrot fractals, where changing one variable can change the image displayed.

What’s your definition of “secure”? Everything encrypted? All I need is vShield? Twelve character passwords? Logging everything to a SIEM? Updating patches?

The list goes on. (and on…)

With virtualization, we’re putting a huge responsibility on the infrastructure to be secure. Unfortunately, some still treat it as an application and forego things like design. Security is still a “bolted on” construct. IT and Security are still not working together.

Because of the complexity, we need to use more tools. We need to automate and be able to work at scale. IMHO, “Cloud” is not about IaaS, PaaS, SaaS or any of the other *aaS’s. Cloud is about Scale. That means security needs to be able to scale. That means we CAN’T keep doing things the way we always have. (a better excuse for an audit I have not found!)

Some of these tools, performance monitoring, patching, updating, logging, you will find in the quiver of the IT professional.. All tools that the Security Professional should be getting a feed from and understanding how to apply that feed to security.

Hopefully, in the not too distant future, we can provide the ability to make better sense of that data in real time to help better secure the virtual environment. You can start today with using that data to ensure that compliance and visibility requirements are met. If you want a silver bullet, that’s a good place to start!

Securing Virtual Desktops with Brian Gracely & TheCloudcast.Net

On Thursday, Feb 9th, I drove from RSA HQ in Bedford, MA to EMC HQ in Hopkinton to spend some time with Brian Gracely (Twitter:@bgracely)and do a podcast and whiteboard session on security and virtual desktops.

Brian is the Director of Technology Solutions and Strategy at EMC and one of the co-hosts of TheCloudcast.(NET) along with Aaron Delp. (Twitter:@aarondelp) If you haven’t heard of The Cloudcast you’ve been missing out! It’s a wealth of knowledge sharing with some of the real leaders in the virtualization and cloud space.

This was my second time on The Cloudcast. My first time was as part of a panel at VMworld 2011 where I discussed vCloud and security with Brian, Aaron and VMware’s Chris Colotti, (Twitter:@ccolotti) a vCloud rockstar.

I really enjoy these social media opportunities! I like sharing knowledge but more than that, I like hanging out with people smarter than me. It really raises my game and gets the creative juices flowing!

Out of discussions like this I’ve come up with novel ways to solve problems, opened my eyes to a different way of thinking and even came up with a patent application that I’m hoping to be able to talk about soon.

In our discussion, Brian and I built upon some of the points I made in a previous blog posting on Virtual Desktops and Security. Take a moment to read that and then listen to the audio and check out the video whiteboard.

So, without further adieu, I’d like to redirect you over to our podcast and video on Securing Virtual Desktops and my thoughts on Bring Your Own Device (BYOD).

Securing Virtual Desktops TheCloudcast.(NET)

I hope you enjoy it as much as we did making it and that it helps you in your virtual desktop strategy. If you have questions, reach me on Twitter or send me an email.

Thanks!

mike
@mikefoley