This page contains a Flash digital edition of a book.
“If you say it costs $1 a unit, what- ever that measures, then cloud puts it in the $0.10 to $0.15 cents per unit,” he explains. “And that’s a CIO’s night- mare because his clients (within his own enterprise) will say, “Forget it, I’ll go outside.’”

For some enterprises it is virtualize or die, says Laura Williams, CIO of the Peel District School Board and board member of the CIO Association of Canada. “With the economic downturn perhaps we’ve adopted virtualization at a speed we might not have done without that pres- sure,” she says. “For those who have had the luxury of being more cautious, the key message is that virtualization introduces new risks that need to be understood. In some cases, it also introduces new costs.” Those businesses considering virtual- ization should “step back,” she cautions, and conduct a sound business case analysis in consultation with the security stakeholders.

“Is it virtualization on premise or off? How does adding a piece of software change the process or the tools or the risks?” she asks. “We’re still learning if the security tools we have will work the same way in a virtualized environment.” At the same time, CIOs are being pres- sured by massive demand from mobile users for powerful applications, which are always seamlessly updated. This demand has driven a shift to Software as a Service, where applications and data live in a cloud. But going that route, Williams adds, there are more security considerations, espe- cially for public entities.

When it comes to virtualization, the consensus among experts is that data needs to be classified, with low risk data treated differently from high-risk data. “If you decide to go out on the cloud you really need to consider how that service is being provided to you, where the data is stored and the third-party process for managing data,” says Williams. Still, virtualization does not bring uniform savings. For example, in-house virtualiza- tion may never reduce that CIO’s costs to the level of large scale providers, VMware’s Aitken says, adding there’s a comfort level where enterprises are prepared to give up some cost savings in return for better

WWW.SECURITYMATTERSMAG.COM

security control by operating in a private cloud as opposed to a public one. “It’s exciting and scary at the same time,” observes Steve Orrin, Intel’s director of security solutions. “Security and control are rooted in three factors, technology, process and policy, and with virtualization we hit all three.” We’re seeing an IT paradigm shift, he adds, which opens up new frontiers but scary ones because we’re still figuring out where the dragons are hiding. Virtualiza- tion adds another software layer as an operating system.

“Virtualization is software driven and is vulnerable to external threats and al- ready we’ve seen virtual machine (VM) root kits spring up with names like Blue- Pill and SubVirt, which implant them- selves on the thin hypervisor layer which is in effect the virtual databases’ oper- ating system,” he says.

Still, there are issues across the board when it comes to security and virtualiza- tion and that’s why guidance from thought leaders and industry associations is be- coming more critical. Earlier this year — March 1 to be exact — at the RSA Con- ference in San Francisco, Ca., the Cloud Security Alliance (CSA) and Hewlett- Packard tabled its report Top Threats to

Cloud Computing V.1.0, listing seven

areas of vulnerability: Abuse and Nefar- ious Use of Cloud Computing, Insecure Application Programming Interfaces, Ma- licious Insiders, Shared Technology Vul- nerabilities, Data Loss/Leakage, Account, Service & Traffic Hijacking and Unknown Risk Profile.

CSA also rolled out the first cloud se- curity certification, education and out- reach program for cloud providers. The Trusted Cloud Initiative is designed to help develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices.

“One of the points of pain is compli- ance because how do you enforce your policy,” Orrin says. “And how do you audit it when what your auditor saw today isn’t going to be the same as he’ll see tomorrow [because virtualization shifts on the fly for optimum efficiency.]”

Despite the questions, Neil MacDonald,

vice-president and fellow at security analyst firm Gartner, believes there is enor- mous upside for growth. “We think it will hit the tipping point somewhere in 2012 and it’s a fairly steep curve,” he says, adding there are a couple of red flags to contend with. “The biggest mistake I see is the virtualization initiative tends to start with IT in the name of cost saving but doesn’t always involve the se- curity team. We need to apply lessons learned from the last 20 or 30 years be- cause this is one of the most important de- velopment since the x86 platforms.” What’s needed now, according to Mac- Donald, is some best practices standards from the relevant organizations and that is still pending, though some have started to chime in.

And as more companies join the con- versation, more questions continue to arise: What are the privacy rules of the ju- risdiction where the data resides? How do they conflict with the jurisdiction that gov- erns the owner of the data? What conflicts exist on machines? Walking small to medium-sized compa- nies through the shift and addressing their security concerns is exactly where Bill (Bilhar) Mann, CA’s senior vice-president, security and compliance, sees growth. As a reseller, CA has already targeted access control and user privileges as key growth areas, rolling out products to help their clients take their first steps on the road to virtualization and cloud, starting with private clouds and then looking to the horizon of public clouds.

“The future is enterprises without data centres sitting on the public network with your service cloud and application providers to glue it all together, but you don’t own the glue and that’s why CIOs are having nightmares,” he says.

Ian Harvey is a freelance writer in T

SOURCES

CA •www.ca.com

CIO Association of Canada •www.ciocan.ca

Gartner •www.gartner.com

Intel • www.intel.com

VMWare •www.vmware.com

oronto, Ont.

MARCH/APRIL 2010 • SECURITY MATTERS 19 Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32
Produced with Yudu - www.yudu.com