Yesterday RSA announced new controls for virtual infrastructure security in cloud environments. Concerns regarding security and compliance have been primary factors preventing large enterprises from placing production workloads on shared virtual infrastructure in the cloud. Yesterday’s announcement and proof-of-concept didn’t solve all of public cloud’s security woes, but it brought us closer to a practical solution. In case you missed it, you can read a detailed overview of the solution in the RSA security brief “Infrastructure Security: Getting to the Bottom of Compliance in the Cloud.” Even if you’re not ready for public cloud, many of our clients have expressed concerns over mixing security zones or subzones on internal private cloud infrastructure. Instead of supporting multi-tenancy (i.e. multiple departments traversing multiple security boundaries), the conservative IT organization isolates security zones using dedicated physical infrastructure (e.g., separate physical clusters, network ports, and storage). Even if you build in security controls in the virtual infrastructure, how do you expose them to the auditor? To date, that has been a problem.
In the past, I have talked about this security dilemma in a couple of couple of key areas. First, we need a standardized set of cloud isolation levels. We also need standard metadata (either de facto or industry standard) so that third party audit tools can properly query an application’s relationship to cloud security policy in relation to virtual and physical controls that are in place. I covered those issues in more depth in the post “The Cloud Mystery Machine: Metadata Standards.” In addition, virtual resources need to be able to answer the question “Where are you?” That applies to both the runtime location and data location. It’s important to ensure that data privacy and governance concerns are met, and regulatory compliance issues such as data export restrictions are satisfied. Ideally, the answer to the question will provide details on the hardware root of trust (the hypervisor and physical infrastructure is secure), relationship to defined pre-defined security tiers (the RSA POC uses “platinum,” “gold,” and “silver",” and “bronze,” for example), and provides the detail needed to prove that both data and application runtime security requirements are satisfied.
To learn more and to read the entire article at its source, please refer to the following page, RSA, Intel, and VMware Take a Big Step Forward in Cloud Security- ChrisWolf.com
Article Tags