Security providers and businesses have to rethink their approach to cloud computing, RSA President Art Coviello, executive vice president of EMC, said at the RSA Conference 2010 in San Francisco on Tuesday.
Security should be designed and built into the cloud at the chip level with the same identity, infrastructure and management policies used in the physical world, he maintained.
Coviello also outlined a four-stage path for enterprises moving their infrastructure into the cloud.
Security Fears Hinder Migration to Cloud
Fears about security are restricting the ability of businesses to fully leverage the capabilities of the cloud, Coviello said.
“Organizations are spending as much as two thirds of their IT budget to manage their infrastructure,” he pointed out. “Cloud computing can alter this ratio so much more energy can be directed towards real innovation and competitive advantage.”
However, businesses are afraid there isn’t enough security in the cloud so they are holding off on making the shift, Coviello said.
This opens the door for security providers to step up to the plate.
“Cloud computing gives us the opportunity to change the way we deliver security inside out,” Coviello pointed out. “The cloud will force organizations to pay serious attention to their security management processes and not just their end point technologies.”
Security should be designed and built into the cloud so everyone can make use of the cloud, fully confident that their information and transactions are secure, Coviello said — and that means building it into chips.
Levels of protection in the cloud should surpass what’s available in the physical infrastructure today, he continued. Vendors and businesses should begin by enforcing the same identity, infrastructure and management policies they use in the physical world.
Virtualization enables the cloud, and security should be embedded in the virtual layer so that enterprises can enforce policies for information, identity and infrastructure within the virtual layer, Coviello said.
“That’ll let us shift from infrastructure to an information-centric policy, concentrating on information and who gets access rather than the plumbing,” he pointed out.
Improving security in virtual infrastructures will lead to changes in the allocation of duties, among other things. “Right now, people focus on storage or servers or networks or end points and so on,” Coviello said. “In the cloud, many of these roles will converge. For example, virtual machine administrators will combine network, storage and server administration roles simultaneously.”
Enterprises will also have to rethink the processes and policies for handoff to security teams, he said.
The Four-Step Process
Enterprises will take a four-stage journey to get to the cloud, Coviello suggested.
Stage one involves the virtualization of noncritical infrastructure like testing and low-risk applications. This lets enterprises get their feet wet and work out any kinks they encounter. “Given the noncritical nature of the applications, there are relatively few new security requirements at this initial phase,” Coviello explained, “but at this stage, you’ll become adept with the tools of virtualization and hardening the virtual infrastructure.”
In stage two, enterprises will virtualize their critical business applications. Security requirements will scale up when they do. “Insider threats increase in importance here because of the portability of virtual machines,” Coviello warned.
Virtual machines can be run on any physical server, and insiders with malicious intent can clone a virtual machine — and all the critical information it contains — onto another physical server in order to steal that information.
In stage two, enterprises will push security down the stack deep within the virtual layer, embedding controls into the virtual infrastructure that are now bolted on in the physical infrastructure, Coviello said.
The third stage will see enterprises developing internal clouds and operating their infrastructure as a utility. This means that, just like electricity or water, infrastructure will be delivered as and when needed instead of being always available.
At this stage, enterprises need more mature policies for risk and governance. “They’ll need GRC that can span the physical and virtual infrastructures,” Coviello pointed out. (“GRC” stands for governance, risk and compliance.)
In the third stage, monitoring and controlling privileged access becomes increasingly important. Self-service and self-provisioning will add new layers of complexity to the infrastructure, and monitoring and controlling changes here will also be critical, Coviello predicted.
Stage four is when enterprises will begin outsourcing their infrastructures to external service providers and have hybrid clouds, Coviello said. Such hybrid clouds are a combination of internal and external clouds.
However, enterprises won’t want to get to stage four unless cloud infrastructure providers can demonstrate the capability to enforce policy, prove compliance and manage multitenancy, Coviello pointed out.
“Enterprises will need to demand that cloud service providers provide strong proof of compliance, even in the deepest layers of the cloud,” he cautioned. “Service providers need to be able to tell clients and auditors anything they need to know, with verifiable proof.”