Cloud computing is one of the IT-game changers of our time but security and compliance concerns are holding cloud computing (Infrastructure as a Service) adoption to less than 1% of participants in Nemertes’ benchmark research.
At the heart of cloud computing is virtualization, which abstracts data, applications and operating systems from underlying hardware and in the process marginalizes security practices dependent on physical devices, a hard perimeter, and static boundaries and locations. Virtualization injects movement and dynamism into the IT Infrastructure and introduces a new layer of software and an ecosystem of related management applications that needs its own protection. These are all things that don’t exist in the non-virtualized infrastructure. Since over 90% of organizations are already deploying virtualization, much of our discussion will focus on virtualization security (VirtSec).
Beyond virtualization, cloud computing adds an additional layer of abstraction, raising additional security-related issues, including: Compliance, defense in depth, data location, privacy, shared tenancy, data leakage, data retention, e-Discovery, standards and performance. Addressing these issues requires more than simply slapping on some VirtSec. We must fundamentally rethink data security, depending on whether we’re protecting internal, external or hybrid cloud environments. Many of the underlying security controls are the same: Encryption, strong (multi-factor) authentication, access controls, audit logs, intrusion detection, anti-malware, anti-virus, etc. What’s different is the context, the way we apply these controls and new controls that are only possible in a virtualized infrastructure with virtualized security. The bottom line is we’ve got a lot to talk about.
