Tackling security and compliance for SMBs in a virtual world

Tackling security and compliance for SMBs in a virtual world

For his third post, John Churchhouse considers the security and compliance implications of virtualization and cloud computing and asks whether it really is the Wild West out there for SMBs considering the technologies.

Security is a concern for any organisation, big or small. It's also historically been used as a stick to hit virtualization and, more recently, cloud computing. Because we are so used to a physical IT landscape, people are far more comfortable when they can see and touch security. What they're missing is that virtualization offers the ability to employ different approaches to security that can provide far greater control as well as flexibility.

In a virtualized environment, it no longer makes sense to think of security as protecting physical IT assets. The real assets being protected – data, applications and operating environments – are now contained within virtual machines (VM) that flexibly, efficiently and transparently move across the underlying physical infrastructure. Security policies need to be associated with the virtual entity (machine, application or datacenter) and they need to remain persistent as the entity migrates across physical assets.  Virtualization makes this all possible not just with cloud applications but also with the existing legacy applications that are critical to the business. Firstly, VMs are "encapsulated" instances of an application, its data and the operating environment in which it runs.  Secondly, virtualization is implemented by sliding in an additional software layer between the physical hardware and the VMs themselves.

At higher levels of abstraction, VMs are aggregated into virtual applications which in turn can then be aggregated into virtual datacenters.  These entities can then have security attributes inextricably assigned so that as the entities move these attributes and the required policies will be unaffected.

The additional software layer I mentioned earlier allows virtualized environments to bring benefits/efficiencies to existing environments not easily obtainable in the physical world.  A good example of this is anti-virus/end-point security for PC environments. In a virtual environment, anti-virus can be implemented as a single virtual security appliance serving many virtualized end-user environments rather than having anti-virus software installed on each.  Additionally, this virtual security appliance is not visible to the outside networks and therefore doesn't present a target for malware to penetrate.

The same approach can be taken with compliance, where it could be applied to the protection of sensitive data, for example, using Data Loss Prevention techniques.

This is all well and good for virtualized environments, but what about cloud computing? The majority of people still think of cloud as referring to large public cloud offerings, and in turn see this area of the industry as currently  reminiscent of the Wild West: great rewards to be had but very little in the form of protection and security.

So, how can security and compliance be addressed in this public cloud arena? Firstly, cloud service providers build the cloud on a solid virtualized platform with the improved virtual security referred to previously. Secondly, the organisation itself can establish its own "internal" or "private" cloud, built using compatible technologies based upon open standards of virtual machine formats and open management and control interfaces. Because these environments are inherently compatible, virtual entities can easily move, along with their security and compliance attributes, from the private to the public domain, and vice versa.

What does this mean for SMBs? Firstly, as well as providing incredible cost benefits, virtualization also allows organisations to increase levels of security in a more flexible and efficient way.  Secondly, virtualization is the enabling technology for cloud computing. Consequently, any concerns over security of embracing public cloud can be dispelled by selecting cloud service providers who themselves have constructed their offerings with security built in at every level and provide compatible management interfaces that allow organisations to see and manage their end-to-end cloud (private and public) as one.

We know how important data protection and the security of your IT infrastructure is. If cloud computing is the Wild West, then we'd like to think that our solutions act as the Sheriff, maintaining law and order and allowing you to confidently exploit the considerable rewards that this new frontier has to offer.

Next time I'll be looking at tackling organisational barriers to virtualization and cloud – if you've got one in particular that you'd like me to address, let me know below or tweet us @vmware_uk.

Comments (2)

  • hi i am graduate from the university of greenwich in the field of network and computer system security .i would like to know how i can move into the virtualization security side ,i will be waiting for the reply

    Fri 6 Jan 2012, 00:33 [reply]

  • Hi Inkeshaf, with a degree in a related field you should be able to move quite easily into virtualization security. We're always on the look out for new graduates, and as you'll see from this job description (http://jobs.vmware.com/job/Palo-Alto-New-College-Graduate-MTS-Secu , even when looking for a graduate to work on our security and network solutions team, we don't ask for a specific degree, but a general one which will give you a good understanding of IT, or in your case security, as a whole.

    We have R&D offices across the world, so if you're interested in working for VMware in the field of security, keep an eye on our job pages for graduate entry roles near you: http://www.vmware.com/jobs/university-relations

    To help prepare, you can check out our security blog, where some of VMware's top experts discuss issues surrounding virtualization, cloud computing and security: http://blogs.vmware.com/security/

    Thu 12 Jan 2012, 16:35 [reply]


  • HTML is not allowed. URL's will automatically become clickable
    * E-mail address will not be shown