On the 2/24 Virtualization Security Podcast we were joined by Davi Ottenheimer and Michael Haines of VMware to discuss vCloud security. This is of quite a bit of interest to many people these days. As VMware adds more and more Cloud functionality, how to secure the environment is becoming more and more important. The podcast started with the question what aspects of the cloud do customers want secured. The answer was intriguing to say the least.
The answer was surprising but the conversation is one we continually talk about on the podcast. That is one of jurisdiction, compliance, and regulatory requirements. In a side conversation, Davi stated that the cloud providers are really coming to him and saying what do we need, instead of saying here is my policy for the virtual environment does anything need to change for the cloud. In other words, cloud providers are starting with a clean slate.
The clean slate approach may be the best approach going forward as it allows us to concentrate on the areas of most importance while the technology improves to allow for true secure multi-tenancy.
With a clean slate we can think about the real security implications of going to the cloud and determine methods to meet those needs. Some of the concerns are:
- How to expose GRC data to potential customers? (CloudAudit working group of the Cloud Security Alliance)
- How to Prove Identity in the Cloud? (RSA and Cloud Security Alliance are teaming up to solve this with other companies)
- How to keep data within a specific Jurisdiction? (Intel is working on a hardware root of trust to solve this issue)
vCloud or any Cloud Security seems to be more about GRC these days than about CIA. Which is what I find very interesting. Virtualizaiton and Cloud guarantees us Availability, but does not guarantee us confidentiality or integrity. While all the tools as discussed due provide confidentiality and integrity from a tenant perspective. We still need to TRUST the administrators to do things correctly.
The conversation in the podcast ranged all over the cloud security space, yet did not concentrate on this issue but more on GRC. People are worried more about where their data will end up then how it can be attacked. Which given privacy laws and responsibility for the data implies quite a bit. It also implies a level of trust in current cloud security technologies to provide the proper level of security.
Even so a proper cloud architecture that includes security from the beginning is required.