For his third post, John Churchhouse considers the security and compliance implications of virtualization and cloud computing and asks whether it really is the Wild West out there for SMBs considering the technologies.
Security is a concern for any organisation, big or small. It's also historically been used as a stick to hit virtualization and, more recently, cloud computing. Because we are so used to a physical IT landscape, people are far more comfortable when they can see and touch security. What they're missing is that virtualization offers the ability to employ different approaches to security that can provide far greater control as well as flexibility.
In a virtualized environment, it no longer makes sense to think of security as protecting physical IT assets. The real assets being protected – data, applications and operating environments – are now contained within virtual machines (VM) that flexibly, efficiently and transparently move across the underlying physical infrastructure. Security policies need to be associated with the virtual entity (machine, application or datacenter) and they need to remain persistent as the entity migrates across physical assets. Virtualization makes this all possible not just with cloud applications but also with the existing legacy applications that are critical to the business. Firstly, VMs are "encapsulated" instances of an application, its data and the operating environment in which it runs. Secondly, virtualization is implemented by sliding in an additional software layer between the physical hardware and the VMs themselves.
At higher levels of abstraction, VMs are aggregated into virtual applications which in turn can then be aggregated into virtual datacenters. These entities can then have security attributes inextricably assigned so that as the entities move these attributes and the required policies will be unaffected.
The additional software layer I mentioned earlier allows virtualized environments to bring benefits/efficiencies to existing environments not easily obtainable in the physical world. A good example of this is anti-virus/end-point security for PC environments. In a virtual environment, anti-virus can be implemented as a single virtual security appliance serving many virtualized end-user environments rather than having anti-virus software installed on each. Additionally, this virtual security appliance is not visible to the outside networks and therefore doesn't present a target for malware to penetrate.
The same approach can be taken with compliance, where it could be applied to the protection of sensitive data, for example, using Data Loss Prevention techniques.
This is all well and good for virtualized environments, but what about cloud computing? The majority of people still think of cloud as referring to large public cloud offerings, and in turn see this area of the industry as currently reminiscent of the Wild West: great rewards to be had but very little in the form of protection and security.
So, how can security and compliance be addressed in this public cloud arena? Firstly, cloud service providers build the cloud on a solid virtualized platform with the improved virtual security referred to previously. Secondly, the organisation itself can establish its own "internal" or "private" cloud, built using compatible technologies based upon open standards of virtual machine formats and open management and control interfaces. Because these environments are inherently compatible, virtual entities can easily move, along with their security and compliance attributes, from the private to the public domain, and vice versa.
What does this mean for SMBs? Firstly, as well as providing incredible cost benefits, virtualization also allows organisations to increase levels of security in a more flexible and efficient way. Secondly, virtualization is the enabling technology for cloud computing. Consequently, any concerns over security of embracing public cloud can be dispelled by selecting cloud service providers who themselves have constructed their offerings with security built in at every level and provide compatible management interfaces that allow organisations to see and manage their end-to-end cloud (private and public) as one.
We know how important data protection and the security of your IT infrastructure is. If cloud computing is the Wild West, then we'd like to think that our solutions act as the Sheriff, maintaining law and order and allowing you to confidently exploit the considerable rewards that this new frontier has to offer.
Next time I'll be looking at tackling organisational barriers to virtualization and cloud – if you've got one in particular that you'd like me to address, let me know below or tweet us @vmware_uk.