The future of Virtualization and Cloud Security is being worked on today and there are several projects worth watching. Early guidance from these projects will aid your current virtualization and cloud security policies, procedures, plans, and architectures.
Existing Projects
The cloud security projects to watch are:
- Cloud Security Alliance also on LinkedIn which is looking into all aspects of cloud security and security of virtualization within a multi-tenant environment.
- A6 (Audit, Assertion, Assessment, and Assurance API) Working Group which is working towards the goal of providing an API for allowing proper audit controls of cloud infrastructures.
The virtualization security projects to watch are:
- Security Guidance for vSphere which has yet to be completed, but will be announced within the following:
- VMware Communities Security and vShields Zone Forum
- VirtSec group on LinkedIn
- Virtualization Security Round Table Podcast
The guidance under development is from VMware, CISsecurity, and DISA.
- PCI and FDIC working groups as they work through inclusion of Virtualization into their guidance. Granted this guidance will be fairly generic as it must cover all forms of virtualization products.
Hybrid virtualization and cloud projects to watch are:
- The Distributed Management Task Force (DMTF) has teamed up with the Cloud Security Alliance as they work towards a common virtual machine file format that includes the necessary security meta data.
Future Projects
Even with these existing projects I think there is a need for at least one more project related to cloud and virtualization security and compliance, specifically compliance. Since Security is not Compliance and Compliance is not Security.
- General Compliance guidance with respect to virtualizaiton and cloud that auditors can use with respect to determining if the proper compensating controls are in use.
This General Compliance guidance would not be specific to any one industry and help auditors and security professionals determine if the proper compensating controls are in place for each of the hypervisors in use.
Conclusion
As virtualization becomes more complex, we will need to rely heavily on documentation from security and compliance projects to determine what should and should not be part of the security policy. Knowing how to harden and audit is just as important as knowing what to compensating controls to have in place.