On 9/8 was held the Virtualization Security Podcast featuring Phil Cox, Director of Security and Compliance at RightScale, to discuss the impact of and need for automation of cloud security. Given that we create clouds by automating deployment of workloads we also need to automate the security of those workloads during the same deployment. This podcast delves into that need, and touches on where over automation is also a problem.
One of the biggest issues with the cloud is how to deploy its workloads securely and in compliance with government regulation. But given the new vCloud Global initiative, we now roll into security automation the need to ensure jurisdictions are not changed as well for the data of those workloads. If there is no way to prevent the movement of workloads based on jurisdictional issues, then the automation designed to achieve security and compliance has failed.
There are several approaches to this problem, the first is to use tools that prevent motion of data based on policy, to prevent motion based on choosing clouds that do not span multiple countries, or create your own IaaS environment where you have complete control. For the first, VMware and others point to OVF as the solution. The other two are choices based on monetary and business issues, unrelated to the technology. Equally important, but there should also be policy driven technology to prevent such movement.
OVF is a wonderful format for the packaging up of virtual appliances for motion elsewhere, however, it is just that, a format that is limited to deployment only. If you were to live migrate a running VM between clouds either using EMC VPLEX, Data Gardens, ZeRTO, and other replication software, OVFs policies are in effect ignored as the policies only impact deployment and not vMotion or other migrations between clouds. Nor is OVF the only format for packaging up of VMs, which means not all clouds will use it as a transport format.
So if OVF is not the answer, what is? At the moment, no such tool or omnipresent standard exists. There is nothing built into vShield Edge, vCloud Director, Embotics, Afore, and other such cloud management and security technologies. There is an opportunity here for someone to develop a policy driven migration of data between clouds that adheres to jurisdictional (legal) policy and not just compliance policy.
In either case, when entering the cloud, not only should Security and Compliance personnel be sitting at the table and adding their input, but so should Legal. Entering the cloud with your workload is based first on a risk assessment of the data to be placed within the cloud, but also on the legal ramifications if such data was to leave the jurisdictional borders of your state, country, region, etc. Ensure all the players are working together to formulate a proper plan for cloud entry and utilization.
* The travelogue video was produced by Lars Troen