Welcome to the vBOX!

Cloud, Virtualization, Storage, DR, Security, Hardware Reviews, Book Reviews, and even some Music … all in their own BOX.

Author Archive

15 Sep 2012

ALERT: vSphere 5.1 is not compatible with any versions of VMware View

I thought it prudent to post this before people start randomly upgrading their environments that already were using VMware View.

VMware vSphere 5.1 is not currently supported with any versions of VMware View.

vSphere 5.1 is in the process of being certified against VMware View. We recommend that you do not upgrade vSphere above the supported versions listed in the VMware View 5.1 Release Notes.

For further updates and more information on this alert, refer to KB article:
vSphere 5.1 is not compatible with any versions VMware View (2035268).

Posted in vBOX | Leave a Comment
13 Jul 2012

Storage for Virtualized Environments: There has to be a better way!

Stu Finds a Better Way with Tintri Storage

Posted in Uncategorized and tagged | Leave a Comment
12 Jul 2012

The VDI Storage Debacle: Are you carving up complexity or serving up simplicity?

Think about this for just a second. Conventional or traditional storage was created 20 years prior to virtualization. So as that sinks in, I’ll ask you a question. Why has server provisioning with compute made so many advances in regards to lowered costs, less complexity, and higher performance rates, but storage has relatively remained the same? Even when talking about SSD, the larger players in the storage market are only bolting this on as a cache point and those that are leveraging total flash arrays don’t really address the real problems with storage for virtualized environments. Performance in itself doesn’t mean that you have resolved all issues, “Am I alone here?” … “Can I get an Amen?” Just because a large traditional storage manufacturer purchases a company specializing in conventional flash storage, do you think that they are suddenly resolving their issues regarding how that product interacts with the virtual environment? The answer is no. Maybe if they intended to rewrite their code from the ground up to take specific advantages of that flash storage specifically for virtual environments, then you might be onto something. This, my friends, is exactly what Tintri has done.

Although Tintri was purpose built for virtualized environments period, I will be writing specifically regarding VDI for this post. I am fully certified for both VMware View and Citrix products and my livelihood for the past few years has been centrally focused on VDI performing assessments, plan and design work, and implementations. I have integrated great third-party products such as Trend Micro Deep Security, UniDesk, and Imprivata and with those come an increase in complexity from an architectural standpoint and more specifically a storage standpoint. Let’s look at how one traditional storage provider is carving up storage to meet a specific VDI 500 seat demand. This is straight from their best practices document and is available for anyone to see. On the left is how EMC will carve up your storage into several raid groups, then into LUNS, tiering storage with SSD bolt-on cache (which is expensive BTW). Other storage vendors’ solutions aren’t much better. There are several things wrong with this… let me elaborate on a couple of points here using the 500 seat comparison.

Questions:

  • What happens when you need to advance beyond 500 seats? (What happens to what you have just architected? Back to the well for more spindles? More SSD? Do you have the finances available for that?)
  • What happens when you have more than one golden image or use case? (Hint, you only have room for one image in this small 100GB space for a golden image. In VMware View, since a recompose process requires that the replica has to be written before the original is deleted, multiple images will run you out of space. With XenDesktop it doesn’t even make sense.)
  • When using a third party product like Unidesk, the CachePoints become extremely important to get the right amount of I/O out of them to drive that performance. In this design there is not enough room in SSD for the cachepoints in the majority of cases.
  • Did you have enough I/O built into the original design to accommodate the virtual infrastructure for Citrix XenDesktop or VMware View and all of the VMs? How about for the infrastructure needed for Trend Micro Deep Security? How about the throughput and latency metrics?
  • How do you know for certain how many more VMs that you can fit on your current storage before performance is impacted or you are simply out of room?
  • With traditional block storage are you getting any deduplication or compression advantages. (I can answer this…as no).
  • How about your maximum VMs per LUN when using block storage, have you considered that?

I could go on and on but, here is one more really good question, What if your storage was aware that VMs were running on it?(See: VM-Aware)
With the Tintri VMstore there are no RAID groups to worry about, and no LUNS to carve up. Using NFS you can see from the picture on the right how Tintri answers that best practice design for VDI. Some people promise simple, but Tintri really delivers it. There are no cost, complexity or storage performance barriers for VDI anymore which has allowed Tintri customers to realize some ROI when implementing virtual desktops; bringing the VDI storage costs from ~60% of the project down to ~15-20%. Its hyper-density can allow for up to 1000 VMs to be deployed on one single Tintri Storage Appliance (see product specs). [In a server environment you can expect to get 250 – 300 Server VMs on a single Tintri datastore]

Tintri also gives you instant bottleneck visualization, interchangeable datastores, intuitive fuel gauges showing available capacity and performance headroom, VM trend-over-time statistics, VM auto alignment, per-VM snapshots, and more. It wraps a QoS around each VM ensuring performance and virtually eliminates the usual worries surrounding boot storms, AV storms, and login storms pertaining to VDI environments. So my point is, if you can decrease the CapEX and OpEX costs and decrease the complexity or storage while increasing the performance of storage (which is spotlighted by VDI), then what are you waiting for? Give your VDI implementation over to a Tintri VMstore and rest easy that you made a great decision. Some of the best products are the ones which you don’t have to manage and just flat out work (see Data Domain). Isn’t it time that you stop the LUNacy?

Interesting VDI Video:

Tintri VDI Solutions Webinar

Interesting reads:

Top Six Storage Challenges When Implementing a VDI Project

Womble Carlyle Sandridge & Rice Accelerates VDI With Tintri’s VM-Aware Storage

You can feed 800 VMs off 1 of our boxes

Tintri responds on SSD arrays

Tintri – virtual machine aware storage

Virtualization can be Kryptonite for Storage Admins

The 10 Coolest Storage Startups Of 2012 (So Far)

 

“Stay thirsty my friends.”

~ The most interesting man in the world.

Posted in StorageBOX | Leave a Comment
11 Jan 2012
2 Comments

Configuring a KMS server on Windows Server 2008 R2

Well I have had to setup a KMS server in several of our clients sites, and found that the documentation from Microsoft is somewhat confusing. I have set these up before, but it is always a pain to go back and find the information on how to do it all over again. I ran across a blog from Ivan Dretvic at http://ivan.dretvich.com/2011/06/how-to-configure-a-kms-server-in-windows-server-2008-r2/ and much love goes out to him for putting this together. I thought it was worth reblogging not only for clients and other visitors but also for myself to review when I need it. Below are the steps used to configure the first KMS server in the organization for use with Windows Server, Windows client and Microsoft Office activation. These steps will only include the installation of 1 KMS server.

Installing first KMS Server

These are the steps I followed to install the KMS server. We determined that due to the number of client activations, and the capacity of our infrastructure we had no problems installing this server on our secondary domain controller. From here on we will call it DC2.

  1. Log onto https://www.microsoft.com/licensing/servicecenter/ and fetch your key: “Win Srv 2008 R2 Data Ctr/Itan KMS C” – Note your key may be similar, but either way it must end in either KMS B, or KMS C.
  2. On DC2 we run CMD with elevation
  3. Type slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx where the last section is the Key from your volume licensing website.
  4. Open “Windows Firewall with Advanced Security” via Start menu -> Administrative Tools.
  5. Under Inbound Rules scroll down to “Key Management Service (TCP-In)”, right click and select enable.
  6. Reboot the machine – note you can restart the Software Licensing service but I preferred to reboot it (seeing as the server was not in use for anything else)

    		net stop sppsvc && net start sppsvc
  7. Active server after reboot. This can be done via the GUI or by executing the following command from an elevated command prompt:

    		slmgr.vbs /ato
  8. Enables automatic DNS publishing by the KMS host by entering the below command in an elevated command promt. Note this should already be enabled, but just in case, we execute the command.

    		slmgr /sdns

Now you are done installing your KMS server.Note this will provide activation for clients and/or servers depending on the KMS key you used to activate DC2. Office KMS activation will be covered in a later section.

I do recommend verifying that the SRV record in DNS is created. Note that you should have no problems with the automatic creation if you are using the vanilla install of AD and have no specific security restrictions in DNS. To verify that the DNS record has been created open up DNS and check. Refer to the screenshot below to see where it lives:

Installing Office KMS Host

As mentioned above we have determined that the one KMS box (DC2) is suitable to do all of our activations for Microsoft products, so now we have to configure the Office KMS host on DC2. To do this we do the following:

  1. Log onto https://www.microsoft.com/licensing/servicecenter/ and fetch your key: “Office 2010 Suites and Apps KMS” – Note your key may be similar. If unsure speak to your Microsoft Account Manager.
  2. Download the Office 2010 KMS Host License Pack from the Microsoft website: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=97b7b710-6831-4ce5-9ff5-fdc21fe8d965. Its only 903kb so wont take too long.
  3. Execute KeyManagementServiceHost.exe from your existing KMS server> In our case its DC2. Follow the prompt to finish the setup process.
  4. When prompted enter the KMS key for Office 2010.

Thats it. Just as easy to setup. Now you are ready to activeate Office 2010 with KMS. to help monitor this, please refer the the section below.

Administering the KMS server

I take it now you want to see whether it works and if clients can be activated. Now i will go into administering the KMS server, which will be quite brief as there is not much to it, and is really only there to aid in troubleshooting, and to have a sticky beak when implementing it. Once its running there is no real reason to keep going in and checking up on it.

All functions to view settings and make changes are done through the already used VBS script slmgr.vbs. To see all the commands simply run slmgr from the command prompt. Note to execute changes you will need elevated command prompt. You will see the following screens:


So the most common command that i used was:

Displays license information (KMS Activation Count)


 cscript slmgr.vbs /dli

Displays detailed license information


 cscript slmgr.vbs /dlv all

For Office specific information you can run the below command to get the info wanted:


 cscript slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864

Note I add cscript to the front of the command so that the output stays within the command window, this lets me output/scroll if there is a lot of data where as the usual vbs dialog crops the output.


Configuring KMS Clients

By default, Volume Licensing edition of Windows Vista, Windows 7 , Windows Server 2008, and Windows Server 2008 R2 are KMS clients. If the computers the organisation wants to activate using KMS are using any of these operating systems and the network allows DNS auto-discovery, no further configuration is needed.

If required you can configure the KMS client to connect to a specific KMS host, use a specific port and disable KMS auto-discovery.

When deploying KMS clients using WAIK you can use 2 different methods to prepare the client:

  • SYSPREP – run Sysprep /generalize which will reset the activation timer along with removing SID and a few other settings. Read about this before actually using it.
  • Software License Manager – run slmgr.vbs /rearm in an elevated command prompt to reset the grace period back to 30 days. Note you can only perform this 3 times in total.

You can also manually force activation of the client by using the GUI from Control Panel -> System or by running slmgr /ato.

If you want to convert MAK installations of Windows or Office to KMS, you need to change their product key, and then reactivate. Use the below keys to perform this:

Operating system edition Product key
Windows 7
Windows 7 Professional FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4
Windows 7 Professional N MRPKT-YTG23-K7D7T-X2JMM-QY7MG
Windows 7 Enterprise 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
Windows 7 Enterprise N YDRBP-3D83W-TY26F-D46B2-XCKRJ
Windows Server 2008 R2
Windows Server 2008 R2 HPC Edition FKJQ8-TMCVP-FRMR7-4WR42-3JCD7
Windows Server 2008 R2 Datacenter 74YFP-3QFB3-KQT8W-PMXWJ-7M648
Windows Server 2008 R2 Enterprise 489J6-VHDMP-X63PK-3K798-CPX3Y
Windows Server 2008 R2 for Itanium-Based Systems GT63C-RJFQ3-4GMB6-BRFB9-CB83V
Windows Server 2008 R2 Standard YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Windows Web Server 2008 R2 6TPJF-RBVHG-WBW2R-86QPH-6RTM4
Windows Vista Business YFKBB-PQJJV-G996G-VWGXY-2V3X8
Windows Vista Business N HMBQG-8H2RH-C77VX-27R82-VMQBT
Windows Vista Enterprise VKK3X-68KWM-X2YGT-QR4M6-4BWMV
Windows Vista Enterprise N VTC42-BM838-43QHV-84HX6-XJXKV
Windows Server 2008 Datacenter 7M67G-PC374-GR742-YH8V4-TCBY3
Windows Server 2008 Datacenter without Hyper-V 22XQ2-VRXRG-P8D42-K34TD-G3QQC
Windows Server 2008 for Itanium-Based Systems 4DWFP-JF3DJ-B7DTH-78FJB-PDRHK
Windows Server 2008 Enterprise YQGMW-MPWTJ-34KDK-48M3W-X4Q6V
Windows Server 2008 Enterprise without Hyper-V 39BXF-X8Q23-P2WWT-38T2F-G3FPG
Windows Server 2008 Standard TM24T-X9RMF-VWXK6-X8JC9-BFGM2
Windows Server 2008 Standard without Hyper-V W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ
Windows Web Server 2008 WYR28-R7TFJ-3X2YQ-YCY4H-M249D
Office 2010 Suites
Office Professional Plus 2010 VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
Office Standard 2010 V7QKV-4XVVR-XYV4D-F7DFM-8R6BM
Office Home and Business 2010 D6QFG-VBYP2-XQHM7-J97RH-VVRCK
Office 2010 Stand-alone products
Access 2010 V7Y44-9T38C-R2VJK-666HK-T7DDX
Excel 2010 H62QG-HXVKF-PP4HP-66KMR-CW9BM
SharePoint Workspace 2010 QYYW6-QP4CB-MBV6G-HYMCJ-4T3J4
InfoPath 2010 K96W8-67RPQ-62T9Y-J8FQJ-BT37T
OneNote 2010 Q4Y4M-RHWJM-PY37F-MTKWH-D3XHX
Outlook 2010 7YDC2-CWM8M-RRTJC-8MDVC-X3DWQ
PowerPoint 2010 RC8FX-88JRY-3PF7C-X8P67-P4VTT
Project Professional 2010 YGX6F-PGV49-PGW3J-9BTGG-VHKC6
Project Standard 2010 4HP3K-88W3F-W2K3D-6677X-F9PGB
Publisher 2010 BFK7F-9MYHM-V68C7-DRQ66-83YTP
Word 2010 HVHB3-C6FV7-KQX9W-YQG79-CRY7T
Visio 2010
Visio Premium 2010 D9DWC-HPYVV-JGF4P-BTWQB-WX8BJ
Visio Professional 2010 7MCW8-VRQVK-G677T-PDJCM-Q8TCP
Visio Standard 2010 767HD-QGMWX-8QTDB-9G3R2-KHFGJ

You can convert Windows and Office from MAC to KMS using the GUI available, or you can use the following commands:

Windows
To install a KMS key, type slmgr.vbs /ipk KmsKey at a command prompt.
To active online, type slmgr.vbs /ato at a command prompt.
To activate by using the telephone, type slui.exe 4 at a command prompt.

Office
To install a KMS key, type ospp.vbs /inpkey:KmsKey at a command prompt.
To active online, type ospp.vbs /act at a command prompt.

Important Links

Here are the resources that I got most of the information I needed.

Posted in WindowBOX
21 Oct 2011

Creating a bootable USB containing ESXi 5 – [ToolBOX]

I just finished posting my blog on creating a Citrix XenServer bootable USB image. I did so after having to create a bootable ESXi 5 USB image for a client who just couldn’t get the external USB CD-ROM to work right and we were using the HP iLO to perform installations which was painfully slow. Installing from USB was incredibly fast and I wanted to share those instructions with you as well. Since PendriveLinux wouldn’t work in the same way XenServer 6 did, I have made a small step-by-step guide on how to achieve this using a different tool. So here we go…

  1. Download the ESXi 5 .ISO and have it ready on your PC
  2. Download UNetbootin and run the software (WindowsMac OS XLinux).
  3. Start the UNetbootin application and choose Diskimage (ISO) and browse to the downloaded ESXi 5 .ISO file.

  1. Choose Type: USB Drive and choose the correct USB drive letter that you want the bootable installer to be installed to.
  2. There you are one bootable USB image for ESXi 5! Enjoy!!


 

Posted in ToolBOX | Leave a Comment
20 Oct 2011
8 Comments

Creating a bootable USB containing XenServer 6.0 – [ToolBOX]

I needed to finally get some XenServers in my lab at home, so I purchased a pair of SUN Sunfire X4100 servers containing Quad-Core AMD processors and 16GB of RAM on the cheap which I thought would be perfect. The only thing about these servers is that they don’t have a CD-ROM on them, so I set the BIOS to boot from USB hoping to use a thumb drive. This is when I realized…Uh oh! How do I get the Xenserver 6 .iso on the USB making it bootable? Below I will save you some time by providing the best steps that I have found to get this made easily and quickly.

  1. Download the XenServer 6 .ISO and have it ready on your PC
  2. Download PendriveLinux (http://www.pendrivelinux.com/) from here (http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/)
  3. Launch the Universal USB Installer
  4. From the drop-down, scroll to the bottom and choose “Try Unlisted Linux ISO (NEW Syslinux)”
  5. Choose the location of the XenServer ISO
  6. Select the drive letter for your USB
    1. (optional) I chose to format the drive
  7. Click Create
  8. After creation is finished, on the USB drive, navigate to the /boot/isolinux folder on the root of the USB
    1. Rename the ‘isolinux.cfg’ file to ‘syslinux.cfg’
    2. Rename the ‘isolinux.bin’ file to ‘syslinux.bin’

There you are one bootable USB image for XenServer 6! Enjoy!!

Posted in ToolBOX
05 Oct 2011

vSphere 5 vCenter Server Virtual Appliance Quick-Start Guide

The vCenter Server Linux Virtual Appliance (vCSA) is a preconfigured Linux-based virtual machine that is optimized for running vCenter Server and associated services.

vCenter Server Virtual Appliance provides all features as the Windows vCenter Server but does not support the following features:

  • Microsoft SQL as the database for vCenter – requires stable ODBC driver for Linux that can scale.
  • vCenter Server Linked Mode – requires ADAM.
  • vCenter Server Heartbeat – requires Windows.
  • IPv6.
  • Single sign-on using Windows session credentials.
  • VMware View Composer (Linked Clones) – installed on Windows vCenter Server only.
  • vSphere Storage Appliance – VSA Manager & VSA Cluster Server installed on Windows vCenter Server.
  • VIX Plugin for vCenter Orchestrator – VMware Tools API only works with Windows vCenter Server.

Other VMware products that work with the vCSA:

  • vCenter Operations.
  • vCenter Orchestrator.
  • vCenter CapacityIQ.
  • SRM5.
  • Auto Deploy.
  • vCenter Update Manager.
  • vMA.
  • vSphere Client.
  • vSphere Web Client.

The following table lists the required files that you will need, gather these files before proceeding.


Watch the 10-minute installation video (Optimized for iPad)


http://www.youtube.com/watch?v=e6DY7FHEr2M&feature=player_embedded

 

 

Deploy the vCenter Server Linux Virtual Appliance

  • Launch your vSphere Client and navigate to File | Deploy OVF Template.
  • Browse to the location of the vCenter Appliance .ovf file, then click on Open.
  • On the following screen click on Next.
  • Then click on Next again on the OVF Template Details page.
  • Under Name and Location, give your vCenter Appliance a name then click Next.
  • Choose a datastore then click Next.
  • Select a disk format on the next page then click on Next to continue.
  • Click on Finish to start deploying.


Configuring the vCenter Server Linux Virtual Appliance

  • Boot the appliance.
  • Open a vSphere Client console session to the virtual appliance and configure the network and timezone.
  • Now open up a browser and type https://<ip_of_appliance&gt;:5480 to continue the configuration.
  • Accept the certificate error to continue.
  • Login as root, the default password is vmware.


  • Now read through the entire EULA and click on Accept EULA to continue. Please be patient while the vCenter is configured (this takes a few minutes). If you look at the appliance remote console you’ll see the services being configured and started.


  • You can start using the web interface again once the console screen returns to default.


  • Next click on Status, and view the current status of the vCenter Server. The service should be on a Stopped state and the Database Type should show not configured.
  • Click on the tab, you will notice that there are no DNS Servers configured and the appliance’s hostname is the standard localhost.localdom, lets change this.
  • The best way to change the Network settings is to go to the console of the vCenter server and select configure network. Walk through changing the IP address, DNS servers, and the Hostname for the appliance.


  • Log back into the interface using the IP address which you just configured. https://<ip_of_appliance&gt;:5480 Setup authentication by clicking on and then on either NIS or Active Directory. My ‘thevbox.info’ lab environment uses AD.
  • Click on the tick box and then fill in your domain details and then click on Save Settings. You should receive an Operation is successful message to confirm that the authentication settings has worked.


  • We now need to configure a database for vCenter to use, for this article, let’s use the embedded DB2 database. Click on to continue.
  • When using the embedded database, there is no need to enter any details, just click on . This will take several minutes to complete, once done click on . After what seems to be too long, the database will complete configuration, you should receive an Operation is successful message to confirm.


  • Set the time zone by clicking on and then . Select your time zone and then click


  • Now reboot the virtual appliance one last time. To reboot click on and then click on . Click Reboot again to confirm.
  • This time the vCenter Appliance will successfully start the vpxd daemon and initialize the database, eventually vCenter 5.0 will be ready for you to use.


Connecting to vCenter 5.0 for the first time

With all VMware vSphere Clients, when you start the vSphere Client and connect to either a vCenter Server or an ESX/ESXi host, it will check whether the vSphere Client is compatible. This is still the case with vSphere 5.0 and you will need to update your vSphere Client if you haven’t already done so. You can update by connecting to vCenter Server or ESX/ESXi or you can download the vSphere Client executable from the VMware Downloads website.

  1. Launch the vSphere Client and connect to your newly configured vCenter Server.
  2. You must use root | vmware to login, domain credentials will not work until the permissions are added to vCenter.


  1. Update the vSphere Client as necessary.
  2. Add an AD group into vCenter permissions and set the role as Administrator. [See video].
  3. Now you will be able to log in with domain credentials.
  4. You will need to enter your username in DOMAIN\Username or username@DOMAIN format.


The little things…

  • To make sure that you can continue to use host customization files, use the following KB Article combined with WinSCP. Connect to the virtual appliance using WinSCP and navigate to the /etc/vmware-vpx/sysprep and place the appropriate sysprep files in their proper folders.

  • More to come….
Posted in vBOX | Leave a Comment
28 Sep 2011
1 Comment

Hooray! Citrix Provisioning Server 6.0 is here at last!

According to http://blogs.citrix.com/2011/09/28/provisioning-services-6-0-from-single-image-delivery-to-single-image-management/ Citrix has finally released a long awaited update to Provisioning Server 5.6 in its newest form 6.0! With the 6.0 release it brings with it a lot of great enhancements including but not limited to Distributed vDisk Storage and Integrated vDisk Versioning. One of the other things that isn’t advertised in this version should be the fix which allows a template to use a distributed vSwitch. This is talked about in this forum: http://forums.citrix.com/message.jspa?messageID=1541298. Also, see that error message below:

This should be a welcome upgrade for those who use provisioning server and use the built-in distributed switches or the Nexus 1000v. I will definitely be posting more on this version of Provisioning Server at a later date. Right now I am going to get this deployed in my lab! ENJOY!!!

Posted in vBOX
24 Aug 2011

Major Citrix Annoucements Today for RingCube, XenDesktop, XenApp, and XenClient

If you are having a hard time keeping track of all the announcements today, here are the articles that have have spotted so far, discussing RingCube, XenDesktop 5.5, XenApp 6.5, XenClient 2, etc.:

 

 

 

 

  • New Receivers for Windows and Mac (OS X Lion) raise the bar along with Citrix XenDesktop 5.5!:  http://bit.ly/oSMJ8l

 

 

  • Citrix XenDesktop 5.5 Enhances User Personalization & High-Definition Experience over the LAN or WAN:  http://bit.ly/rde32F

 

Posted in vBOX | Leave a Comment
02 Jun 2011

Cloud Computing – Managing risk within the cloud (cont’d) – LockBOX

  The second installment of Securing the Enterprise – [LockBOX]

Four major concerns for security practitioners, and how to prepare yourself and your company for the cloud.

This is the second part of an ongoing series concerning the management of risk in the cloud. You can find my first segment here.

  1. Data Separation Concerns. – Data used to be stored along with each server before SAN and NAS became popular, even when they became popular and were widely adopted they were stored internally to the organization and therefore were physically separated from other organizations data. The physical separation of data is a common practice even when a company uses hosting services. When a hosting service organization provides a shared facility to multiple customers, then there is a sharing of some network resources (usually separated by VLANs), and rented or leased servers provide a separation of equipment on which to run their own applications and storage of data. This is also true of Application Service Providers (ASPs). With the introduction of public cloud computing these lines have been blurred and typically all computing resources are then shared, thus the rise of concern.
  2. Increased Network Exposure. – Network exposure has been a concern for security practitioners since the 1970′s. With the introduction of the cloud, the level and possibility of exposure is greater than it has ever been. Direct navigation via the Internet to access company resources has presented a greater increase of risk to threats that usually could be controlled by the perimeter of company firewalls and security practices. In a typical scenario a company’s resources are compartmentalized and they have an Internet connection to the outside world to traverse the outside world. If an attack causes interruptions to Internet traffic, vital end of quarter or end of month processing can still occur. However, when the resources are not internal to the organization anymore and a DDOS or BGP attack happens there is a separation of those resources causing an organization an indefinite period of interruption.
  3. Increased Application Exposure. – This is mostly about location, location, location. Applications that have typically been located internally are now external and are exposed in the public cloud via the Internet. Software as a Service (SaaS) providers disagree and state that their applications are safe because of a limited attack surface possibility. The use of SaaS requires only an Internet browser that is used for accessing these applications from the client side. This tremendously cuts down on the ports used to traverse the server-client relationship thereby creating less exposure for attacks to occur. SaaS providers have taken precautions for securing their applications and their respective APIs. “The fact that many SaaS applications are actually built by third parties on other cloud services (either PaaS or IaaS) further calls into question the security of SaaS applications. Additionally, many SaaS APIs (including Amazon Web Services, Google, and Salesforce.com) use REST (REpresentational State Transfer), which has no predefined security methods.”
  4. No Established Governance Model. – How are security professionals supposed to protect an environment for which there are no predefined boundaries or rule sets? Cloud computing by its definition should be considered an untrusted environment, however a governance model is currently being developed for the emergence of cloud computing and should be available soon.

HOW TO PREPARE YOUR COMPANY FOR THE CLOUD

Does your company deal with sensitive, regulated or classified information? If so, then moving to the public cloud may not be for you. Non-sensitive, non-regulated, and unclassified data which is intended to be public or already is public is a good candidate for public cloud use. Community clouds can still be an attractive option for sharing data between companies.

Security practitioners should take the appropriate steps when investigating the use of public cloud services for their companies:

  • Perform a self-assessment:
  • Anonymization of data:
  • Perform due diligence:
  • Emphasize endpoint security: 
  1. Self-assessment. The number one priority should not be to investigate the security afforded by cloud service providers. The top priority should be to examine your own data classification policies and how well the polices are being enforced. Before figuratively beating up a cloud service provider over their relative lack of security (compared to that implemented by most large enterprises), make sure that your own data house is in order. Do you have an up-to-date data classification policy? How well enforced is that policy? Do you have data stewards and custodians assigned for all data? What is the awareness level of your own organization’s privacy policy, and how well is it enforced (assuming that your organization has one)?
  2. Data anonymizing. What tools and capabilities does your organization have for anonymizing data so that any elements that identify individuals are removed? If you do move to the cloud, expect that other business units will likely overwhelm information security with requests for help on anonymizing data so that it can be put into the cloud in compliance with your data classification policy.
  3. Due diligence. When these data classification activities have been accomplished by your organization, then your due diligence of cloud service providers’ security should begin. For example, what is the connectivity model to the public cloud for administration? What support is there for leveraging existing security monitoring and management tools, including vulnerability scanners, change management and firewall policy enforcement at network- and host-levels (e.g., through use of a virtual private cloud)? Some applications require database connectivity back into the organization and may violate existing policy. Also, your organization might have a requirement for strong authentication support; can the provider meet that requirement?
  4. Endpoint security. While you are conducting such due diligence, essentially of your organization’s new IT back-end capabilities, don’t forget about your organization’s IT front-end capabilities. How is the security of all those end-user devices that will be used to access the cloud and your data in it? Leveraging the VMware VMSafe API by using vShield for EndPoints should be considered along with third-party tools such as Trend Micro Deep Security for ultimate endpoint security.
Posted in LockBOX | Leave a Comment

Post Navigation

Older Entries
Follow

Get every new post delivered to your Inbox.