The State of Cloud Security and IAM at VMworld 2013
It’s been a hectic week as more than 20,000 folks landed in downtown San Francisco for VMworld this week. VMworld has grown to nearly the same scale and grandeur of Oracle Open World, though not quite yet, though it is big enough that it seems time stands still, meetings are postponed or cancelled all week and generally one falls behind on any time bound activity.
The new reality for VMware in the last 1-2 years has been one of intense focus on and re-balance of resources to prioritize on infrastructure and cloud management technologies. In other words, for an Identity Management guy or gal there might not be a lot of interest for you at VMworld this year. Then again, you might be surprised. In Pat Gelsinger’s keynote he made mention of the user-centric future of Identity in the cloud as “Policies that follows users, not devices.” So today with regards to authorization we have SAML grants and OAuth scopes (Great explanation here) which delivers a powerful combination of authentication and authorization for cloud applications and resources. The challenge we face today is that (still) not all applications have a robust implementation of SAML or OAuth to fully realize Pat’s vision. (yet!!) If you were to use Pivotal’s Cloud Foundry and deploy your apps in the cloud, or eventually VMware’s vCHS you will perhaps discover a delightful world where the utilities for SAML and OAuth authentication and authorization are built into the platform. Or wouldn’t it great if these capabilities also existed in vSphere Suite for the apps you deploy in your private and hybrid clouds?
Security & Compliance for vCloud
Also at VMworld, I was delighted to learn about some amazing research in a session I attended called VMware Compliance Reference Architecture Framework Overview (by Jerry Breaud and Allen Shortnacy) including a reference architecture and guidance for security and compliance for your vCloud infrastructure. Security and compliance concerns prevent many of VMware customers from advancing in their cloud journey. So it is with the security and compliance accelerator program and the technologies in the VMware Partner Network that customers can confidently architect and deploy secure and compliance cloud solutions. In 2010 I presented how the virtualization layer was a superior vantage point for managing your Identity & Access infrastructure (presentation here) this year VMworld brings resources to market – again with the hypervisor as the vantage point – for achieving a more secure and compliant organization. For example, there are scanners that will inspect your .vmdk files to search for exposed credit card data and provide assurance for PCI compliance!
Privileged Accounts and vCloud SSO
Some awesome technologies for security and compliance are available now for vCenter or vCloud and were demonstrated at VMworld. First off, from VMware there are some awesome (though which seem like no-brainer, obviously needed) upgrades to SSO capabilities in vSphere 5.5 that might make you take a second look at how to implement within your organization. With support for multi-master replication, site awareness and even more nifty enhancements that make a compelling story for SSO right in vCenter. There is an excellent blog post about it here.
VMware Administrators are the new Uber Admin who often have privileged access into entire datacenters and applications that it makes sense to form a governance structure around administrator access to the consoles and environments that they use on a daily basis. There is a really cool vendor called HyTrust that provides a comprehensive suite of security tools to do just that. With request and approval workflows for VM Admins, policy based access and authentication into VMware environments including role based monitoring, compliance and auditability, all combined making the job a little easier to integrate VMware infrastructure into an holistic compliance and control framework. As the automation technologies such as Software Defined Datacenter evolves, this problem will become even more critical and out-of-control without a solution from the likes of HyTrust.
With all that being said, coming from VMworld as an “IAM Guy” it could not be more clear that the vSphere and virtual machines in your infrastructure should be considered as another resource that needs to be added to a growing list of resources requiring all the usual Authentication, Authorization and Audit. But typical IAM systems will not simply integrate with vSphere out-of-the-box as of now, unless you are using a STS or Access Bridge to solve access token conversions to WS-Sec/SAML/OAuth and the like. If you are a vCHS customer you can expect to see some really cool SSO capabilities (soon enough!) between MyVMware and your VM instances running inside of vCHS. In the future, I predict there to be a sufficient amount of support for various types of authentications that you won’t have to worry so much about protocol standards. However, know how and where it fits into your overall security and identity architecture and 3-year roadmap. Understand the implications it has on your policy administration, enforcement, audit, monitoring and so forth.
Please “Like” and comment on this post and add to the conversation!