Virtualization Technology News and Information
Gartner Says Security Must Evolve as Organizations Move Beyond Virtualization to Private Cloud Infrastructures
Security must evolve to support organizations’ transition from virtualized data centers to private cloud computing infrastructures, according to Gartner, Inc. While the fundamental principles of information security remain the same, the way by which organizations provision and deliver security services must change. Gartner predicts that by 2015, 40 percent of the security controls used within enterprise data centers will be virtualized, up from less than 5 percent in 2010.

“For most organizations, virtualization will provide the foundation and the steppingstone for the evolution to private cloud computing,” said Thomas Bittman, vice president and distinguished analyst at Gartner. However, the need for security must not be overlooked or ‘bolted on’ later during the transition to private cloud computing.”

Mr. Bittman explained that whether securing physical data centers, virtualized data centers or private clouds, the fundamental tenets of information security - ensuring the confidentiality, integrity, authenticity, access, and audit of our information and workloads - don't change. There will however, be significant changes required in how security is delivered. Whether supporting private cloud computing, public cloud computing, or both, security must become adaptive to support a model where workloads are decoupled from the physical hardware underneath and dynamically allocated to a fabric of computing resources.

“Policies tied to physical attributes, such as the server, Internet Protocol (IP) address, Media Access Control (MAC) address or where physical host separation is used to provide isolation, break down with private cloud computing,” said Neil MacDonald, vice president and Gartner Fellow. “For many organizations, the virtualization of security controls will provide the foundation to secure private cloud infrastructures, but alone, it will not be enough to create a secure private cloud.”

To support secure private cloud computing, security must include the following characteristics. It must be an integral, but separately configurable part of the private cloud fabric, designed as a set of on-demand, elastic and programmable services, configured by policies tied to logical attributes to create adaptive trust zones capable of separating multiple tenants. These are, Mr. MacDonald explained, the six necessary attributes of private cloud security infrastructure:

A Set of On-Demand and Elastic Services
Rather than security being delivered as a set of siloed security product offerings embodied within physical appliances, it needs to be delivered as a set of services available ‘on demand’ to protect workloads and information when and where they are needed. These services need to be integrated into the private cloud provisioning and management processes, and be made available to any type of workload — server or desktop. As workloads are provisioned, moved, modified, cloned and ultimately retired, the appropriate security policy would be associated with the workload throughout its life cycle.

Programmable Infrastructure
The security infrastructure that supplies the security services must become ‘programmable’ — meaning that the services are exposed for programmatic access. By definition, private and public cloud-computing infrastructure is consumable using Internet-based standards. In the case of programmable security infrastructure, the services are typically exposed using RESTful (Open representational state transfer] APIs, which are programming language and framework independent. By exposing security services via APIs, the security policy enforcement point infrastructure becomes programmable from policy administration and policy decision points. This shift will enable information security professionals to focus their attention on managing policies, not programming infrastructure.

Policies That Are Based on Logical, Not Physical, Attributes and Are Capable of Incorporating Runtime Context Into Real-Time Security Decisions
The nature of the security policies that drive the automated configuration of the programmable infrastructure needs to change as well. As organizations move to virtualized data centers and then to private cloud infrastructure, increasingly, security policies need to be tied to logical, not physical, attributes. The decoupling and abstraction of the entire IT stack and movement to private and public cloud-computing models means that workloads and information will no longer be tied to specific devices, fixed IP or MAC addresses, breaking static security policies based on physical attributes. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, more real-time context information must also be incorporated at the time a security decision is made.

Adaptive Trust Zones That Are Capable of High-Assurance Separation of Differing Trust Levels
Instead of administering security policies on a VM (virtual machine)-by-VM basis, security policies based on logical attributes will be used to create zones of trust — logical groups of workloads with similar security requirements and levels of trust. As the policies are linked to groups of VMs and not physical infrastructure, the zones adapt throughout the life cycle of the VM as individual VMs move and as new workloads are introduced and assigned to the trust zone. Private cloud infrastructure will require security services that are designed to provide high-assurance separation of workloads of different trust levels as a core capability.  Gartner estimates that by 2015, 70 per cent of organizations will allow server workloads of different trust levels to share the same physical hardware within their own data centre, except where explicitly prohibited by a regulatory or auditor compliance concern.

Separately Configurable Security Policy Management and Control
Security must not be weakened as it is virtualized and incorporated into cloud-based computing infrastructures. Strong separation of duties and concerns between IT operations and security needs to be enforceable within a private cloud infrastructure, just as within physical infrastructure and virtualized infrastructure today. This separation occurs at multiple levels. If software controls are virtualized, we should not lose the separation of duties we had in the physical world. This requires that virtualization and private cloud-computing platform vendors provide the ability to separate security policy formation and the operation of security VMs from management policy formation and the operation of the other data centre VMs.

‘Federatable’ Security Policy and Identity
Private clouds will be deployed incrementally, not all at once. They will be carved out of existing data centers, where only a portion has been converted to a private cloud model. Ideally, private cloud security infrastructure would be able to exchange and share policies with other data centre security infrastructure - virtualized and physical - and security controls placed across physical and virtualized infrastructure would be able to intelligently cooperate for workload inspection. Furthermore, security policies designed to protect workloads, when on premises, would also ideally be able to be federated to public cloud providers. There are currently no established standards for this although the VMware vCloud API is a start, as is work within the Distributed Management Task Force (DMTF) to extend Open Virtualization Format (OVF) to express security policy.

Additional information on private cloud computing will be discussed at the Gartner Data Center & IT Operations Summit, November 22-23 in London and at the Gartner Data Center Conference, December 6-9 in Las Vegas. These events deliver a wealth of strategic guidance and tactical recommendations on the full spectrum of issues reshaping the 21st-century data center.

Published Monday, November 08, 2010 6:20 PM by David Marshall
Filed under: ,
Is travel insurance a requirement to travel to the USA? | world travel tours - (Author's Link) - November 9, 2010 10:26 AM
Cloud Focus » Security Must Evolve as Organizations Move Beyond Virtualization to Private Cloud Infrastructures - (Author's Link) - November 13, 2010 10:26 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2010>