Most companys today have taken the age old security models and "Virtualized" them to be used in todays "cloud" market. Vendors have come to market with "Virtual" Firewalls, IPS, HIPS/HIDS, etc that all claim to be the pancea that solves your cloud "security" issues. The problem exists when we rely our "virtual" security infrastructure to protect our sensative 'real' information.
During this talk we will walk through the current state of Virtualization security. We will look at products both free ( as in speech, and as in beer) , and commercial products -- and show where they fail and how; in some cases they leave you in a worse position after implementing.
The hypervisor is a huge attack surface; there’s no defense in depth when your only security controls are provided by the provider (Hypervisor vendor, cloud provider, etc ). How do you gain visibility into a system that by design is constructed to keep you out?
Whether it is IAAS or PASS, Public or Private - there is no good compensating control around a system that is closed and only allows access to very specific parts, and uses a "trust me" security methodology.
As a community we need to innovate, leverage different ways to address our security concerns, get rid of the "catsup" on "ketchup" approach to Cloud security, piling on legacy security infrastrucutre up and down the stack, duplicating efforts along the way.
This presentation will outline where our current security strategys fail, and can be circumvented -- and also gives insite on how to make things better going forward.