Over the past few months, we've identified a considerable amount of research by both vendors and independent researchers that indicates many companies in the enterprise and SMB spaces are looking at cloud computing to cover their IT needs. The research also shows however, that security concerns are holding them back.
The advantages of cloud computing are considerable and relate principally to economical access to software at a considerably cheaper rate than on-premise deployments.
That said, many companies are on the move and using virtualized data centers as a stepping stone between the fulladoption of cloud computing and private clouds.
According to Gartner (news, site), to achieve effective and safe private cloud computing deployments, security, as it exists in virtualized data centers, needs to evolve and become independent of the physical infrastructure that includes servers, Internet Protocol (IP) addresses, Media Access Control (MAC) address and a lot more.
However, it must not be bolted on as an afterthought once companies move from enterprise deployments, to virtualized centers, to private/public cloud.
While the basic components of security in information management remain the same -- ensuring the confidentiality, integrity, authenticity, access and audit of information and workloads -- a new, integrated approach to security will be required.
Security in the Cloud
So what is required for companies looking at the security of their private cloud deployments? Neil MacDonald, vice president at Gartner, explains that security must be an integral, but separately configurable part of the private cloud fabric, designed as a set of on-demand, elastic and programmable services. To achieve this, cloud security must display six different attributes:
1. On-Demand Elastic Services
Security needs to be delivered as a service rather than as a set of products siloed within physical appliances.Like other cloud services, it needs to be delivered ‘on demand’ to protect data and projects when and where protection is needed.
The services must be an integral part of the private cloud management and be available to any type of workload whether that workload is server or desktop based. Appropriate security services should also be applied to the workload as it moves across its lifecycle, with the security applied appropriate to the lifecycle stages.
2. Programmable Infrastructure
The security services that are applied across the cloud must be open to being programmed. With programmable security infrastructure, the services should be accessible using RESTful APIs that are programming language and framework independent.
By making the service accessible, using APIs, security policiesare programmable from administration points and will enable IT security professionals to focus on managing polices and not programming infrastructure.
3. Logical Security Policies
As security services are deployed in virtualized data centers and then private clouds, security policies need to be cut away from physical infrastructure and related to logical rather than physical attributes.
The desired result is that the move of entire IT stacks to private and public clouds should decouple workloads from specific devices. As static security policies associated with physical attributes are cut away, security assessments of what actions should be allowed or denied will become quicker.It will also be possible to incorporate real-time context at the time a security-based decision is made.
4. Adaptive Trust Zones
More efficient security will be achieved by creating trust zones or logical groups of workloads that all display the same security attributes. This is in contrast to a security infrastructure where policies are applied on a VM-machine by VM-machine basis.
As new workloads are introduced into the trust zone, the VM will adapt and cater to the new workload, as it will when individual machines move.Private cloud infrastructure will require security services that are designed to provide separation of workloads of different trust levels as a core capability.
5. Configurable Security Policy Management
Security levels need to be maintained as applications move from on-premise to private clouds. Software controls need to be maintained when they are virtualized, the separation of duties assigned to the software should also be maintained.
This means that vendors will have to provide the ability to separate security policy formation and the operation of security VMs, from VMs associated with other policies across the cloud or data center.
In an ideal world, as private clouds will be applied incrementally, security polices would be applicable not only to private clouds, but also to the remaining infrastructure, both virtualized and physical, and would be intelligently able to cooperate.
In addition to this, with security policies designed to protect workloads on-premise, it should also be possible to federate them with public clouds. At the moment, there are currently no established standards for this, although the VMware vCloud API is a start.
Time for Security to Take Priority
With increasing talk of the cloud and the concept of security in the cloud, it is only a matter of time before companies start working out the nuts-and-bolts of security deployments. And they need to.
Security is a top concern organizations have about moving critical business applications to the cloud . . .Even with all the benefits cloud computing provides, CIOs will continue to be wary until there is a way to manage security and compliance with the same level of assurance that is available today with physical data center environments,” Jon Oltsik, Principal Analyst at the Enterprise Strategy Group said in relation to this.
However, that in itself will create business opportunities with companies now providing new security solutions for the cloud if not on a weekly basis, then at least every month.
With growing pressure to move in this direction, we’re going to see a lot more on this subject as enterprises forced to make cost-saving decisions are forced tostick their head in the clouds.