As organizations virtualize their data centers, information security has had to evolve to support this. The same will be true as data centers evolve to private clouds – security must evolve to support the needs of private cloud infrastructure.
For most organizations, virtualization will provide the foundation and the stepping stone for the evolution to private cloud computing. However, the need for security must not be overlooked or ‘bolted on’ later during the transition to private cloud computing,
While the fundamental principles of information security remain the same (confidentiality, integrity, access, authenticity and so on), the way organizations provision and deliver security services must change, Whether supporting private cloud computing, public cloud computing, or both, security must become adaptive to support a model where workloads are decoupled from the physical hardware underneath and dynamically allocated to a fabric of computing resources.
In this recent research note for clients, I collaborated with one of my data center colleagues, Tom Bittman, to lay out six necessary attributes of private cloud security infrastructure:
1. Security as a set of on-demand services
Instead of thinking of information security as a collection of siloed products, security needs to evolve to be delivered as a set of services available ‘on demand’ to protect workloads and information when and where they are needed. As virtualized workloads are provisioned, moved, modified, cloned and retired, the appropriate security policy would be associated with the workload throughout its life cycle.
2. Programmable infrastructure
The security infrastructure which provides these security services must become “programmable” from policy administration and policy decision points – typically using RESTful based APIs. This will enable higher levels of automation enabling information security professionals to focus on managing policies, not programming infrastructure.
3. Policies based on logical attributes
Security policies need to be tied to logical, not physical, attributes. Security must also become context-aware, incorporating more real-time context information at the time a security decision is made to enable faster and more accurate assessments of whether a given action should be allowed or denied.
4. Adaptive trust zones
Security policies based on logical attributes will be used to create logical groups of workloads with similar security requirements and levels of trust which we refer to as “adaptive trust zones”. These zones must be capable of providing high-assurance multitenant separation of workloads of different trust levels
5. Separate control plane
Strong separation of duties and concerns between IT operations and security needs to be enforceable within a private cloud infrastructure, which requires that virtualization and private cloud-computing platform suppliers provide the ability to separate security policy formation and the operation of security VMs from management policy formation and the operation of the other data center VMs.
6. ‘Federatable’ policies and identities
Ideally, private cloud security infrastructure should be able to exchange and share (federate) policies with other physical security infrastructure in the data center, and security controls placed across physical and virtualized infrastructure should be able to intelligently co-operate for workload inspection. Security policies designed to protect workloads on-premises should also be able to be federated to public cloud providers; however, there are currently no established standards for the exchange of security policy information such as firewalling and IPS policies so policy federation of this type will initially be based on proprietary linkages such as VMware’s vCloud APIs.
Today’s static and siloed security infrastructure trapped within the confines of physical hardware is ill-equipped to satisfy these dynamic requirements, but will evolve to support these attributes over the next five years.
I’ll be presenting on this topic next week at Gartner’s US Data Center conference in Las Vegas. I hope to see you there in person!
Category: Cloud Cloud Security Next-generation Data Center Next-generation Security Infrastructure Virtualization Virtualization Security Tags: Adaptive Security Infrastucture, Cloud Security, Hypervisor Security, Information Security, Next-generation Data Center, Next-generation Security Infrastructure, Virtualization, Virtualization Security, VMware