The Cloud and Virtualization are different
My team work on the four primary mega trends that are driving information security, the cloud, virtualization, mobility and APTs. There is a 5th but it is less of a trend and more of a fact of life these days and that is the data explosion. However when I talk to some people they see the cloud and virtualisation as one and ask why we differentiate.
The fact that the two have become synonymous is testament to VMWare’s marketing skill and power, anyone driving around silicon valley will have seen the hoarding from Microsoft on the 101 stating that “VIRTUALIZATION ALONE DOES NOT A CLOUD SOLUTION MAKE” further proof to me how good they are. What is more to a large extent I believe VMWare are right. The main tool that I see being used to build private clouds within large enterprises is virtualization, it also figures in many public cloud infrastructures. However from a security standpoint the two are very different and present different challenges.
Over the past few years we have seen a very common theme in surveys about cloud adoption, that concerns around security often driven by the lack of control that a move to the cloud and especially the public cloud is one of, if not the primary block to many large organisations moving to the cloud. Dig a little deeper especially around the public cloud and you will find that the concerns usually revolve around data. While enterprises have become skiled in managing an enterprise with a gradually eroding perimeter many still see their data as the piece they keep close and wholesale movement of it to a third party is a risk they are just not prepared to take. There are ways to mitigate these risks such as virtualization and controls such as DLP technologies that can be deployed but today they are not always easily deployed into or with popular cloud services. This will change but currently many a CIO or CISO is able to press the “abort” or at least “lets do some extra thought on this” button on a public cloud adoption initiative because of concerns about how the data is being protected.
In virtualization we see different issues, and ultimately ones that will come to play more heavily than they do today in cloud. Perhaps this is a function of virtualization having been around a while now (and I do not mean in the x86 world, some of us remember booting MVS under VM/370) so is a maturity thing but I suspect that it has more to do with one important attribute of virtualization and that is it enables you to do things that are either difficult or impossible in the physical world. Tools like VMWare vMotion allow me to shutdown, de-rack, put on a pallet, ship, rack-up and power up with not much more than drag and drop simplicity rather than the hours of time and expense it would take in the physical world. Time and expense that would demand inspection and tighter controls. These controls if implemented properly will stop mistakes that lead to increased risk or the violation of governance standards. Moving a non PCI compliant asset into your compliant environment for example. Other examples we see whilst not unique to the virtual world are going to be a lot more common once you remove the restrictions imposed by physical hardware. We now have some very old virtual machines sat dormant on disk, if these were physical hardware they would have be recycled years ago probably to make rack space for nice shinny new blade servers to run virtual farms on. They have not and with often very little work they can be brought back to life and become part of your network in all of their un-patched, out of date glory.
For virtualization the principal issue for security is one of governance and compliance. That is not to say that managing the risks around data is not important in the virtualized environment, it clearly is, however as we move more mission critical systems into virtualized data centres we apply controls such as DLP technologies and encryption that are common in the physical world for those systems. What we have to add is the layer of controls over the virtualized environment to make it on par with the physical world. At the same time we must not discount the challenges that customers face when trying to bring cloud, especially public cloud into their compliance environments as this is a real and growing pain point.
Whilst some of the companies we work with will try and blur the line between virtualization and the cloud we will not. For the former we must focus on how we create controls that give us equivalency to the physical world and for the later we need to allow people to protect their data no matter where it is.