RDA Rocks!

After his first foray with RDA, Eric Sloof of NTPRO.NL decided to use Replicate's RDA 1.0 as part of a course on  VMware installation and configuration.  Here's a portion of the report.  Gotta love that conclusion.

Replicate Technologies | RDA Rocks - NTPRO.NL

This week I’m delivering the famous VMware Install and Configure course at XTG in the Netherlands. At the end of the third day it’s time for VMotion. Three ESX servers are added to one Virtual Center server and the students have the task to make all their virtual machines VMotion compatible. I took this opportunity to upload the Replicate Technologies Datacenter Analyzer virtual appliances....
...  In my classroom [RDA found] an issue with one of the virtual machines. This machine functions as a router and is booted from a floppy. Besides that it’s connected to an internal only virtual switch. Definitely some show stoppers for VMotion. One of the virtual machines had CPU affinity, RDA didn’t report the affinity setting, [and] I posted a feature request at the [Replicate RDA] forum. In the screen dumps you can see my findings. To conclude: easy setup, fast results, RDA rocks.


PCI DSS 1.2 and the On-going Conversation about Virtualization

While cruising through the feed-reader, I came upon Eric Sieberts recent post regarding the release of the Payment Card Industry’s Data Security Standard (PCI-DSS), version 1.2.  Eric notes that "... the specification dictates what must be done to secure a server that may store or process cardholder data, but if that server happened to be a virtual guest the host server would not be considered in the scope of the specification."  He then wonders (out loud) what could be the cause for this lack of attention (see quote below). 

This post reminded me of a conversation I had in August with Scott Loftesness of Glenbrook Partners, who arguably knows more about technology and the payment card industry than any five persons on the face of the planet.  He pointed me to this article as to why failure of PCI DSS 1.2 to address virtualization won't matter.  The author, David Taylor, is certainly no slacker.  He's the VP Data Security Strategies at Protegrity, as well as the founder of the PCI Knowledge Base, Research Director of the PCI Alliance, and a former E-Commerce & Security analyst with Gartner.  He takes a pragmatic approach, urging the reader to not wait for standards, and is pretty clear that he's a believer in the value of virtualization.  But there still seems to be some "buck passing."  He seems to be saying to the merchants who are subject to the PCI DSS standards:

  • You need to prove to prove to an assessor that virtualization is secure enough to pass PCI audits.
  • You need to cost-justify the amount of money required to do so.
  • You need to push on your application software vendors to warrant the security and functionality of their products in virtualized environments ... something they, apparently, are often unwilling to do.

To the first point, it seems to me that best practices, standards and compliance tools or other means by which assessors can address the issue with uniformity are necessary.  There are a number of security specifications for virtual hosts (one of which Eric Siebert references in his post), which, if adopted, would be a reasonably objective basis for the standards and best practices.

With these standards in place, there seems little reason why the application vendors could not address the issues of security with respect to the use of virtualized infrastructure (the hosts and networks) as well as the virtualization of the applications themselves. 

This same tale is going to be told multiple times.  It's not just about PCI, but also will impact a standards and regulations like Sarbanes-Oxley, as well as (here it comes) the standards for data security and processing security in SaaS and IaaS environments ... Yes, I mean "cloud computing."  The PCI industry has a chance to do this right up front, without the buck passing.  I think I'm with Eric on this one.


Seems that while I was heads-down with Replicate's product launch, I missed Christofer Hoff's post on PCI, virtualization and clouds.  Once I get out from under, I'll get caught up and join the fray. 

Just to be clear -- I agree with most of the points that David Taylor has made, but to follow along with this reference to the OSI standards vs the TCP/IP development of standards ... what we're missing today is the moral equivalent of the TCP/IP definitions of best practice and standard.  If the PCI DSS folks won't step up to it, let's figure out who will.

PCI Data Security Standard updated, but still does not address virtualization — Server Virtualization Blog

I am puzzled as to why they would continue to ignore virtualization. After all, isn’t just about every company virtualizing in some fashion these days? Are the people that write the specification parameters just ignorant of what virtualization is, and that it has a direct impact on their regulations? Or are they just trusting that we are all securing our virtual hosts properly and there is no need to address them? If that’s the case then they have misplaced a critical amount of trust as I am sure there are a great many virtual environments that are not properly secured. Likewise, ignoring virtualization completely greatly reduces the effectiveness of their efforts to secure environments that deal with cardholder data. It’s essentially fortifying everything within a castle, but leaving the front gate open.

StorefrontBacktalk - Why PCI 1.2 Ignoring Virtualization Won't Matter

... The issue is more than just PCI compliance. It's about reliability, performance and data integrity. The point is that deciding whether to deploy virtualized servers broadly throughout the enterprise should not hinge on PCI compliance. Once the larger application and management issues are addressed to the satisfaction of the head of IT infrastructure, and the controls documentation is put in place, then PCI compliance becomes a minor issue by comparison.


Eric Sloof - First Impressions of RDA 1.0

Eric Sloof of NTPRO.NL has the distinction of making the first unsolicited comments on the use of Replicate Datacenter Analyzer.  Thank you, Eric.  You've expressed the kind of response we're seeking from our end-users -- surprise and delight.

Replicate Technologies | My RDA Dashboard - NTPRO.NL

One of my weekend projects :-) is the evaluation of Replicate Technologies Datacenter Analyzer. Yesterday evening I downloaded the Probe and RDA virtual appliances. This morning I started with importing the 2 virtual appliances into Virtual Center. I had to convert the Probe to a template and configure the RDA server. Everything went pretty straight forward. After a while I started my first analyses. To my great surprise RDA immediately confronted me with some faulty configured VM’s and Switches. Oren Teich is following me on Twitter and posted this tweet.

Have >10 people in the wild trying out RDA, including @scott_lowe, @depping, @esloof, & @matt_carpenter. I'm surprisingly nervous! about 10 hours ago from web.

Let’s wait and see what the others think about this new product, I’m very positive. When you click the thumbnail you will get a screen dump from my RDA Dashboard.


Clouds, the Criminal Element and V12N to the Rescue

Christofer Hoff has an interesting post today that reminded me of a conversation I had with Steve Tuecke, Carl Kesselman and Ian Foster in 2004 when we were establishing Univa.  The conversation pointed out that grid computing was, with little fanfare, a fundamental basis for the botnets being implemented by the "bad guys", and that grid computing models would be the most reasonable basis on which to protect the enterprise from a significant portion of intentional security threats.

The challenge, as Hoff makes clear, is the capability of establishing appropriate (and appropriately malleable) policies that travel with the applications and data.  The malleability required is not likely to be found today in conventional provisioning and scheduling systems, nor in conventional configuration management systems. 

The industry is at the stage in the evolution of utility computing/cloud computing/grid computing where the flexibility and dynamic nature of virtualization has to be applied generously to the solution of infrastructure problems like security.  At Replicate, we've started to apply it to 21st century datacenter fault prevention and remediation, which is a challenge big enough to last us a while.  It's likely to bring us in contact with a number of the security issues Hoff raises, though from a different starting point.  I'll certainly be joining Hoff in watching companies grappling with this ... though Hoff's more likely to be on the playing field (BJJ mat?), and I'll be in the bleachers.

Rational Survivability: Cloud Computing: Invented By Criminals, Secured By ???

One of the obvious benefits of cloud computing is the distribution of applications, services and information. The natural by-product of this is additional resiliency from operational downtime caused by error or malicious activity.

This benefit is a also a forcing function; it will require new security methodologies and technology to allow the security (policies) to travel with the applications and data as well as enforce it.


VCritical and "free" Hyper-V

Just uncovered VCritical, a recently started blog by Eric Gray of VMware, "to provide commentary on virtualization and virtualization management.  The various meanings of “critical” appealed to me, hence the name VCritical." 

His writing style and sense of humor appeal to me.   While he's unabashedly pro-VMware, his employer, his points seem fair and well considered on any side he's taking.

This post caught my eye, and clarifies the Microsoft approach to V12N pricing.

VCritical · When does your “free” Hyper-V Server cost $1304?

If Hyper-V Server is free, how much should you pay to manage it?

The most current information available at this time is from a Microsoft blog post: Nexus SC: The System Center Team Blog : SMSE and VMM 2008 Updated Pricing Information - Effective November 2008.

If you read through that blog post you will discover that for every hypervisor managed by SCVMM you will owe Microsoft $1304. Or, you can opt to pay $1497 and also use the other System Center features.

Just remember this when you hear the “free, free, free” and the “management, management, management” rhetoric:

It’s actually one or the other, not both.