Securing the journey to the private cloud

22 Nov 2011

The private cloud concept promises the benefits of cloud computing, but behind an company’s own firewall. Here, in an extract from her presentation at IP EXPO 2011, Rashmi Tarbatt, chief security architect for EMEA at RSA (the security division of EMC) explains how data security approaches should evolve in order to take advantage of this model.

Let's start with a brief definition of the Private Cloud: what we're talking about is a virtualised infrastructure that offers services on an on-demand basis, but which sits behind a company's own firewall and is owned and operated solely for that organisation's benefit.

Typically, a lot of customers tell us that although they're exploring virtualisation, they're not using it for their production environments yet - or at least, they're not putting sensitive corporate data into that virtualised environment. Unfortunately, that means that they're not taking full advantage of all the benefits that virtualisation can offer.

The journey to the Private Cloud is usually travelled in three stages, each with its own security considerations.

The first stage in the journey is the introduction of virtualised servers. At this stage, IT teams should use the controls they have in their existing physical environment and map them to the newly virtualised environment. Virtualisation specialists such as VMware and Microsoft can advise on platform-hardening measures for the hypervisor layer, to strengthen security still further. And you will need strong authentication and role separation for administrators, because - in theory at least - if an unauthorised person gains access to the hypervisor layer, it may be possible for them to compromise a number of virtual machines.

The second stage of the Private Cloud journey is porting critical production applications to the virtualised environment. Here, yhe goal becomes protecting information: you want security policies and controls to move with the data as a virtual machine shifts between hosts, protecting the data itself, not its container.

The third stage is true 'IT as a service', where the IT department becomes a business in itself, and hopefully a profitable one, too. Here, the virtualised environment enables IT to start charging other units of the business for the services and applications it provides on a per-usage basis. This stage also often marks the point at which third-party services are introduced on an as-needed basis.

But that, of course, means ensuring compliance across a hybrid cloud infrastructure - and the IT department must ensure consistency of security controls across physical and virtual infrastructures and service providers, too. Here, the emphasis is on establishing a verifiable ‘chain of trust’ between a company and its third-party cloud providers, so they speak the same language when it comes to data security.

It takes a lot of thought - but that’s not to say that security should be any kind of inhibitor to private cloud computing. In the physical environment, IT teams are used to dealing with multiple different technology ‘stacks’ and having a range of security controls that apply to each individual stack - controls that secure the network, the hardware itself, the applications and so on. With virtualisation, by contrast, they’re dealing with a composite stack and thus working from a better vantage point - they’ve got a more complete view of what’s going on.

This correlated view of the environment is one of virtualisation’s greatest advantages when it comes to data security. For many companies, in fact, the journey to the cloud is one in which data becomes more secure, not less, at every stage.