Tuesday, 27 April 2010

How will virtualisation and cloud computing change security?

Astaro’s Gert Hansen examines why virtualisation and cloud computing can provide more efficient management and automation of non-critical IT functions while, at the same time, doing so in a secure manner

Getting the most out of existing IT resources is one of the biggest concerns for organisations at the moment, as budgets remain tight and any economic recovery is still fragile at best. In this environment, cost-saving technologies such as virtualisation and cloud computing will continue to figure in most enterprise IT infrastructure discussions.

Virtualisation has already proven its worth in delivering ROI through server consolidation and better use of resources. The use of virtualisation across servers and desktops is widely anticipated to continue growing. Cloud-based systems and the success of IT service outsourcing have demonstrated how centralised remote computing approaches can deliver services to users in a more efficient way as well. But how are these new IT infrastructures affecting IT security strategies?
Virtual security, secure virtualization

Research from analyst firm Gartner in 2009 stated that around 16% of all servers within enterprise IT environments are now virtualised, increasing to around 50% by 2012. Virtualisation platforms are now supporting production workloads, rather than just existing in testing and development environments. VMware now has over 150 000 customers, while Microsoft and Citrix have thousands of happy customers as well. Take-up of the technology has been moving beyond the larger enterprise deployments and into smaller businesses.

As with any technology that is growing in importance, regardless of organisation size, it is expected that malware writers will begin attacking these virtualised environments, looking for vulnerabilities either within the hypervisor layer or to exploit opportunities within the guest VM environments. The overall aim will be to hijack workloads or steal critical data.

However, too often the security team is left out of discussions when it comes to virtualisation, leading to strategies either being put on after the virtual infrastructure has been designed and implemented, or gaps being left. As the use of virtualisation spreads into more production environments, security has to be a core concern. This includes evaluating business continuity aspects, as the proportion of workloads affected by an outage or virus attack will be much higher in a consolidated environment.

The security industry has begun working on ways to keep virtual environments secure, both from a product perspective but also as an industry. An example of this is the Payment Card Industry’s Special Interest Group around virtualisation and security, where vendors, major retailers and other industry experts have come together to provide best- practice information to the wider community around protecting credit card information.

In order to keep virtualisation deployments secure, a mixture of traditional IT security skills and awareness of new techniques is required. Virtualisation does bring in opportunities to simplify how IT is being run, but it adds its own complexities as well. Traditional tasks such as patching can be more difficult due to the additional layer of virtualisation software, while virtual machines can move around the IT estate as business demands and workload priorities evolve, making network design potentially more challenging.

In this fluid environment, planning and awareness of the possibilities that virtualisation can provide is important. Taking a proactive approach, such as keeping virtual and physical network traffic separated through use of VLANs, is a good first step. Installing intrusion prevention and firewall systems at the edge of the virtual infrastructure that can monitor and inspect traffic between the virtual machine host servers is also a valid approach.

Security functions can also be moved onto the virtual infrastructure, which can provide the IT security team with the same benefits of virtualisation that the rest of the business experiences. Virtualised appliances, which include a stripped down OS and the bare functionality required to support a service or a specific task, are also becoming more popular. A research report from IDC in December 2009 stated that virtual security appliance budget allocations will continue to grow over the next year to 18 months, as the total cost of ownership results are better than using separate point software products or dedicated hardware.

By using these virtual appliances, organisations can continue to consolidate their IT kit and still get the results that physical appliances can deliver. If a security system requires more horsepower, then the amount of resources can be scaled up to meet demand. Similarly, if a service is running idle, then it can be scaled back. This level of flexibility is not available with hardware or software versions, where capacity planning can be an issue.

From a planning perspective, virtualisation may be entering the mainstream, but the rules of security are still being set. In order to get the most out of virtualisation and security, both disciplines have to be borne in mind from the start.
A cloudy future?

Depending on who you talk to, cloud computing is either the greatest thing to hit IT or the latest in a long line of marketing exercises. The truth, of course, lies somewhere in between. The most common definition of cloud computing is using the internet to deliver a reliable service to users, where the amount of that service can be scaled up or down depending on demand. Whereas this is similar to previous models such as managed services or application service providers, the main difference is in how you pay for cloud computing. The ‘pay-as-you-go’ billing model that real cloud services can offer make the approach attractive to organisations where funding for new IT projects is proving difficult to come by, and ongoing costs are preferred to upfront investment.

Whatever your opinion of cloud computing is, it has the potential to make IT service delivery more efficient and cost-effective. The biggest barrier to take-up of cloud services is around security, as organisations are giving up control of their data to outside providers. In industries where regulations on data retention and ownership are in place, moving over to the cloud may be impossible without establishing firmly defined standards, which will not be developed for at least a few years. No matter how attractive the potential savings, establishing trust and understanding around cloud computing will continue to be the largest hurdle to overcome with customers.

For organisations looking at their options for the cloud, the most important points to understand are where any data that is handed over will actually reside, and what regulation has to be followed. This will depend on the type of data that is moved over to the cloud provider; essential business records or personal information may have to be kept secure at a company’s head office, whereas non-critical information or archived material can be moved off-site.

Even though the data is stored by another company, it is the responsibility of the customer to ensure that this information is secure and that data protection rules are followed. If moving over to a public cloud provider does not suit the business, or if there are rules restricting information from being moved outside a country’s boundaries, then taking a trusted local partner that can remotely manage the systems on your premises can be a suitable ‘halfway house’ that can deliver the cost benefits of full cloud computing, while retaining some control.

Security providers are also looking at how the cloud can make procedures more efficient. The value of taking a cloud-based approach here for the organisation is in managing the process more efficiently, rather than hosting the products or service on-site. The most common examples of where cloud-based services can be effective are for those tasks where the business does not benefit from them being run well, but is hampered if they are not properly managed. Email archiving is a good case in point: there is little competitive advantage to be gained from this technology, so handing it over to a cloud service can provide better return on investment and reduce costs associated with storage compared with managing it in-house.

Best practices are building up around virtualisation and cloud computing, as the technologies become used across more companies and new offerings reach the market. For the IT security team, virtualisation and cloud computing can provide more efficient management and automation of non-critical IT functions.

In an age where IT resources are more stretched than ever before and the pressure is on to deliver better results on static budgets, this represents a significant opportunity to deliver the results that businesses need to remain competitive. As these technologies move into production, the right security planning can ensure that the use of virtualisation or cloud computing actually delivers the promised benefits.

Full Source: InfoSecurityMag

Join Us: http://bit.ly/joincloud


Jonathan Price said...

Gert is absolutely right, a cloud platform needs not only to support virtual and physical environments, but must also be enabled and protected by appropriate Security measures. CA is running The Cloud Academy, a series of free seminars that address these topics and more – see details at http://www.ca.com/us/cloud-academy/content.aspx?cid=225418

virtualisation said...

Hi, I am a Dell employee and I found your blog on "How will virtualisation and cloud computing change security?" very impressive. I think it attempts to answer a very crucial concern about virtualisation security in an analytical way.