In yet another major cloud computing announcement - this time by the power trio EMC, VMware, and Cisco, as the newly formed Virtual Compute Environment (VCE), the specifics on security architecture are beginning to appear for end-users who see an incomplete security capability as a deal breaker when making cloud workload decisions.
VCE Recap
The VCE coalition was created to accelerate customers’ ability to achieve greater flexibility, and lower IT, energy, and real estate costs through pervasive data center virtualization and in turn transition to private cloud infrastructures. And although the VCE announcement is speaking specifically about “private” environments, operating as a virtual IT infrastructure solely for one organization, or operated by third-parties, a security architecture and related technology integrations underpin the environment as end-users will look for features that enable confidentiality, availability, integrity, accountability, and transparency in all computing platforms – public or private. And of course, it's preferable that these features and APIs be designed into the VCE platforms, not left to be bolted on in the end.
What Makes it Private
The description of almost anything private suggest an environment with defensible and well defined security. In a nutshell, security, data protection, configuration management, auditing, and other services enable the private cloud. The nature of cloud-based services, however, that compute, networking and storage be supported by a security architecture that is open and flexible, capable of being dialed up or dialed down to meet the security requirements of multiple use cases, policies, and trust environments. All the building blocks for confidentiality, integrity, availability, accountability, and transparency - core principles of the security architecture - must be designed in as core capabilities, allowing multiple security levels to be achieved based on the risk tolerance of the application, user, or business.
RSA Engineered In As Level 1 Security
For the VCE offering, the RSA Security division of EMC announced what could be described as a baseline or first level of security integration at the infrastructure, information, and identity layer of VCE and additional integration that extends security to the virtual desktop infrastructure (VDI) environment. All good news. Here is a quick summary:
- VM Governance through Trust Zones – a policy-aware DMZ for VMs, data, and identities. With vShield, VMs can be grouped within a trusted compute environment for an enterprise, LOB, or application user group, along with provisioning policies and data firewalls to prevent data commingling and leakage in and out of the zone. Identity services also exist within the trusted compute environment, allowing application and infrastructure identities to be managed in and across zones.
- Product Integration: For infrastructure and configuration management, data management, authentication, and security monitoring:
- vCenter/vShield – for virtual infrastructure management and managing trust zones.
- RSA enVision and DLP – for security operations, protection of data in use across VMs, and compliance reporting.
- EMC Ionix – for secure VM and desktop configuration management, vulnerability assessment, and patch management.
- RSA SecurID – for strong authentication and identity management.
- White Papers, Services - These encompass white papers and assessment services from EMC to help customers assess security threats, vulnerabilities, and risk across the virtualized enterprise and identity remediation plans.
Encouraging, and Questions Remain
Recent announcements by the VCE Coalition and RSA begin to paint the picture of 'how EMC plans to deliver the private cloud and how security and governance will ultimately be achieved. In addition to the industry implications of VCE in general, questions remain about security, including:
- is this in fact a level 1 security offering, and is it sufficient as a baseline?
- are these integrations part of an overall architecture of features and functions for security and governance? Is the architecture open to third party solutions?
- What's the security and governance road map, and how much instrumentation will be provided to allow security to be dialed up and down depending on risk tolerances?
- How about data protection, data dedup, tokenization, e-discovery, and access management services? Should these be part of the overall security and governance model for private cloud computing?
- How will these features be played out in vBlocks deployed for software, platform, and infrastructure services?
- How does security and governance model for private cloud impact the organization and responsibility of the CISO? Is the CISO becoming virtualized? A vCISO maybe?
Action Item: Stay tuned to this channel in 2010 as the security architectures from those investing most in cloud computing become populated with features, APIs, and operating models. But as chief risk officers of your firms, don't sit back and wait for the next wave. Define your requirements and priorities for cloud security, and put cloud security on your research and/or operating agenda for 2010. Be proactive and become engaged in the change.
Footnotes: