Earlier this month, RSA, The Security Division of EMC released a new RSA Security Brief entitled “Identity and Data Protection in the Cloud: Best Practices for Establishing Environments of Trust.” This Brief is authored by security and virtualization experts from VMware and across EMC and offers guidance and actionable best practices for organizations faced with the challenges of securing identities and data in the cloud.
The brief received a lot good of press coverage in outlets such as SearchSecurity and DarkReading. The brief also reinforces one of the core tenets of EMC’s cloud security strategy: Our strong belief that virtualization and cloud are major disruptors that will lead to new architectures with levels of security that surpass the level of security you can get in traditional IT architectures.
This bold claim has not gone unnoticed and some have publicly voiced their skepticism. Let me take a couple of examples in the areas of desktop and data management that illustrate how virtualization and cloud can solve security problems that are currently unsolved in traditional IT infrastructures.
Better Desktop Security
If you have ever talked to any IT desktop administrators, you know that their worst security nightmare is you, me and all our fellow end-users. We are very difficult to control: we add software to our laptops without asking for permission, we change configurations to improve performance (don’t we know better?) and very often we are missing the latest security patches. To add to our desktop administrator nightmare, we take our laptops home or into hotel rooms, browse the Internet, get our laptop infected and introduce Trojans and other undetectable malware when we connect back to our corporate networks (read Uri Rivner’s conspiracy theory blog if you do not believe me).
To solve that problem, you can either change human behavior or migrate to hosted virtual desktops. Since we only live once, I will focus on the latter.
A hosted virtual desktop environment enabled by platforms such as VMware View separates the corporate desktop from the underlying hardware giving almost real-time control to the desktop administrators on desktop images. Furthermore, end-user data does not leave the data center even when they are used by the end-user and virtualization isolation characteristics ensure that the non-corporate use of the desktop does not interfere with its corporate use, thus greatly reducing the risk posed to corporate assets by infected desktops.
Hosted virtual desktops do not change the end-user behavior but they put full control and visibility of the corporate desktop back in the hands of the IT administrator.
If you are an IT architect with responsibility for ensuring optimal data availability to applications in compliance with the hundreds of policies and regulations that your organization has to obey, you have a tough job and many good reasons to have sleepless nights.
The architecture you oversee certainly relies on a distributed information infrastructure, with file systems, storage, archives and disaster recovery distributed over multiple sites and maybe several countries. On top of it you certainly have built data discovery technology such as RSA Data Loss Prevention (DLP) Suite to locate on a regular basis sensitive data and data that is governed by specific policies or regulations (i.e, PCI, European Privacy Act, etc.). Finally you add DLP components at the network and desktop level to enforce DLP policies across your environment.
With cloud storage, you can build content awareness directly into your storage infrastructure and have your DLP policies directly enforced by your cloud storage. You can set up policies, for instance, to prevent sensitive data from being stored on an external cloud storage infrastructure or to ensure that employee information is only stored on infrastructure located in the same country as the employee. These policies can now directly be referenced and enforced by the cloud storage infrastructure at the time it handles data, greatly simplifying data management and giving sleep back to deserving IT architects.
EMC’s cloud and security divisions jointly demonstrated this concept earlier this year by integrating EMC Atmos cloud optimized storage with the RSA DLP suite.
These are just two examples of how cloud and virtualization represent a once-in-a-lifetime opportunity to change the way we implement security. There are more examples highlighted on the VMware Security Blog describing how RSA and VMware are collaborating to embed security in the virtual infrastructure. Let’s get the discussion going, but more importantly, let’s act and continue to demonstrate and prove how embedding security into virtual and cloud infrastructures will bring about new levels of security control that we cannot get by bolting security onto infrastructures that are inherently not secure.