VMware announced a loosely coupled group of vCloud providers that will use vCloud Connector to loosely couple their clouds, so that VMs can move from vCloud to vCloud without requiring you to renegotiate pricing, capability, and functionality with multiple cloud vendors, just your local one. This announcement is intriguing in that it is a move to push the cloud into the global space, but also fraught with peril if not done correctly.
A global cloud requires plenty of checks and balances so that workloads do not get moved from one jurisdiction to another, that should never be moved. In addition, it is becoming increasingly important that security policy also follow the object moved from cloud to cloud. Whether that cloud is your local enterprise or a cloud service provider. How this security policy wraps these objects has still to be decided. VMware could claim that such policy would move with the VM as long as the vCloud’s are federated properly, however, there is more to security policy than what is available from VMware such as the compliance requirements for PCI, HIPAA, DoD, DoE, etc.
Here is what is needed to make cloud to cloud a reality:
- Transparency in the business arrangements between cloud providers
- Use of CloudAudit.org to provide audit data for each cloud for customers
- A way to wrap VMs with security and compliance policy, not just vCloud policy
- A way to disallow movement of VMs from cloud to cloud if compliance and security policy is not met, ala jurisdiction
In all there is a need to tie compliance and security management directly into vCloud Director perhaps using vCenter Configuration Manager (vCM) and vShield, but also a way to pull in third party compliance and security policy. One organizations policy, is not the same as another organizations, so there is currently no one place to hold policy. I do not see vCM or vShield being this one place in the future, so import of third party data is also a requirement.
Ideally, I would like to wrap each VM with a policy control module, that would attest to compliance and security of the underlying cloud platform before it is allowed to launch or even import a virtual object. This policy control module, would then decrypt the object before each launch thereby ensuring confidentiality and integrity in the global vCloud.