Protecting virtual datacenters

I’m proud to announce the release of my whitepaper Protecting virtual datacenters: a secure access to VMware vCloud with SecurePass.

While Cloud itself is not technically any different from traditional hosting, housing or outsourcing with geographical business continuity, the revolution is in the concept of optimizing costs while allowing greater flexibility. It all sounds good and easy, but what about your company security? You are outsourcing part of your datacenter in a virtual datacenter hosted in a provider, or you are storing part of your core data in an application hosted somewhere and this changes the way security has been conceived so far.

VMware with its vCloud Director software is among the players of IaaS infrastructure software, organizing outsourced companies into virtual datacenters or vDatacenters. Because vDatacenters allow great flexibility by orchestrating customers’ datacenters via a simple web interface, identity theft increases the risks of data being compromised or services being disrupted: by compromising a single identity, a malicious user can log in to the vCloud portal and fully control the virtual datacenter from anywhere.

This publication describes how I addressed the issue of breaking into virtual datacenters on two different organizations that adopted VMWare vCloud. The target audience of this publication is a VMWare vCloud administrator or an end customer, both wishing to understand the security risks behind cloud technologies and wishing to enhance such security.

The whitepaper is available for download from:

The publication is also available for download from the Apple BookStore:

Release of “Strong Authentication and Security for Oracle Application Express”

I am please to announce the release of the paper “Strong Authentication and Security for Oracle Application Express“.

Oracle Application Express is a simple yet powerful RAD/web application framework that can address specific rapid application needs, from small businesses to larger enterprises. However, it is missing an out-of-the box strong authentication functionality, such as One Time Passwords (OTP) keys or smart card. Moreover, the administrative interface and all hosted applications are potentially reachable by an attacker. My publication proposes an architecture to fill these gaps, providing an highly secure environment to run your own business applications.

Preface was gently provided by Mark Shuttleworth, founder of Ubuntu, Canonical and Thawte.

The paper is freely available from the following URL: