This page contains a Flash digital edition of a book.
NEWSFILE


9


Decisions The nature of the security policies that drive the automated configuration of the programmable infrastructure needs to change as well. As organizations move to virtualized data centers and then to private cloud infrastructure, increasingly, security policies need to be tied to logical, not physical, attributes. The decoupling and abstraction of the entire IT stack and movement to private and public cloud-computing models means that workloads and information will no longer be tied to specific devices, fixed IP or MAC addresses, breaking static security policies based on physical attributes. To enable faster and more-accurate assessments of whether a given action should be allowed or denied, more real-time context information must also be incorporated at the time a security decision is made.


Adaptive Trust Zones That Are Capable of High-Assurance Separation of Differing Trust Levels Instead of administering security policies on a VM (virtual machine)- by-VM basis, security policies based on logical attributes will be used to create zones of trust - logical groups of workloads with similar security requirements and levels of trust. As the policies are linked to groups of VMs and not physical infrastructure, the zones adapt throughout the life cycle of the VM as individual VMs move and as new workloads are introduced and assigned to the trust zone. Private cloud infrastructure will require security services that are designed to provide high-assurance separation of workloads of different trust levels as a core capability. Gartner estimates that by 2015, 70


per cent of organizations will allow server workloads of different trust levels to share the same physical hardware within their own data centre, except where explicitly prohibited by a regulatory or auditor compliance concern.


Separately Configurable Security Policy Management and Control Security must not be weakened as it is virtualized and incorporated into cloud-based computing infrastructures. Strong separation of duties and concerns between IT operations and security needs to be enforceable within a private cloud infrastructure, just as within physical infrastructure and virtualized infrastructure today.


This separation occurs at multiple levels. If software controls are virtualized, we should not lose the separation of duties we had in the physical world. This requires that virtualization and private cloud- computing platform vendors provide the ability to separate security policy formation and the operation of security VMs from management policy formation and the operation of the other data centre VMs.


For regular, detailed industry news, subscribe to our weekly email newsletters via the SNS Europe website: www.snseurope.com


‘Federatable’ Security Policy and Identity Private clouds will be deployed incrementally, not all at once. They will be carved out of existing data centers, where only a portion has been converted to a private cloud model.


Ideally, private cloud security infrastructure would be able to exchange and share policies with other data centre security infrastructure - virtualized and physical - and security controls placed across physical and virtualized infrastructure would be able to intelligently cooperate for workload inspection.


Furthermore, security policies designed to protect workloads, when on premises, would also ideally be able to be federated to public cloud providers.


There are currently no established standards for this although the VMware vCloud API is a start, as is work within the Distributed Management Task Force (DMTF) to extend Open Virtualization Format (OVF) to express security policy.


WWW.SNSEUROPE.COM


WIN 2010


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44