During the VMworld2011 conference, the theme of security came up very strongly. Indeed, there were many parallels to the RSA Conference 2011 in Feb/2011 that echoed concerns about "putting all your eggs in one basket".
Many solutions were presented, new innovations from VMware in the form of the vShield family and vertical integration into the RSA enVision tools. However, tools are good, but there are few substitutes for common sense and training.
Within all the sessions, I did not really see anything indicating how indepth Cloud security was to be achieved. Security certifications are mainly focused at awareness of issues pertaining to this theme and some level of descriptive and prescriptive actioning that can be performed within a framework.
Taking an metaphor linked to security, namely defending a country, there are parallels that can be drawn. Typically an army of some sort (SecOps - Security Operations) incorporates the capabilities of the security force, a command and control center for operations (SOC - Security Operations Center).
The army receives training both general and specific for particular engagement types (Security awareness training, Security tool training, System administration tasks such as patching, general awareness of threat levels around the world in cybersecurity terms). The army stays fit and in shape to respond should they be called into action. The army is distributed to ensure response in the correct measure and correct location (layered security distributed throughout a Cloud environment).
Lastly, to keep things short, there are mock trials and joint manoeuvres taking place to keep the training sharp and realistic, to ensure a coordinated knowledgeable response to said threat. This can be done with partners that share a similar set of goals, such as NATO. This is the bit that seems to be missing.
What does this all Mean for Virtualization and the Cloud?
In speaking with some clients on the floor at VMworld, I raised the idea and it seemed to generate a favourable response. Clients and would-be users of cloud technologies are clamouring for safety, and seek to assuage their fears through buying the next great security software that claims nothing needs to be done, apart from issuing a purchase order!
Let's face it, something does need to be done. Tools do need to be acquired - but as part of an Enterprise Security Architecture (ESA) focused on ensuring all IT supporting the business is safe by design, and kept safe through regular threat update measures.
Regular drills are carried out to ensure that the security controls are in place, and mitigation controls can be called for in extreme situations. In the most extreme cases it is necessary to completely cut off outside connectivity while the threat is forensically investigated and stopped!
To be fair, the number of organisations that actually perform PEN (penetration) testing has really increased. However, that is a means to validate the efficacy of the control measures already in operation or determine what is missing.
I would advocate processes and organisational structures implemented within a Cloud enabled organisation enabling testing and simulation of attacks (mock war games) that allow each and every SecAdmin to be able to block/thwart attacks. Further, tracking attacks to source and procedures for rapidly alerting cyber-authorities & ISPs ensuring damage is minimized and threat reduction measures engaged on a broader scale.