In a previous blog entitled VMworld 2011 - Practice Makes Perfect (Security), I discussed the notion of preparing actively for attack in cyberspace through readiness measures and mock maneuvers.
This is happening at the level of nations. ENISA in Cyber Atlantic 2011, shows how large groups/blocs of nations are working on not only increasing their capabilities, but practicing in concert to see how global threats can be prevented or isolated in cyberspace.
This is at least as intensive as a NATO exercise. Languages, cultures, varying capabilities, synchronization of Command & Control capabilities as well as reporting and management at national levels.
APTs (Advanced Persistent Threats) will be the target in this exercise. This is a current and relevant threat with credible measures needed urgently. APTs can be used by organized crime or state sponsored attacks to circumvent even the most secure installations - nuclear/military typically. It is critical that measures and controls are in place at a national level.
Hopefully they will also cover the very sensitive area of reporting to the press, organizations that are being targeted or potentially targeted as well as practical measures that everyday folk like you and I can implement quickly and easily. Remember security starts with people!
What does this all Mean for Virtualization and the Cloud?
There is of course a fine line in skirting personal privacy rules, in place for very good reasons of personal liberty and democratic thinking, and protection of assets in the Cloud from malicious attacks or just plain stealing of intellectual property.
Governments should also not be excluded. It is equally important that an individual has privacy rights maintained without the threat of big brother from other states or indeed your own government. This is an area that every individual needs to be vigilant against. Controls within Government also need to be available to the individual should there be patent infringement without a court order authorizing surveillance. Even that needs to be double-checked!
This does of course also strengthen the case for private clouds, or at least closed community clouds. This provides another buffer perimeter to attack, and ensures the ability to fence off networks from outside unwanted intruders.
This involves security by design. These measures to be able to isolate Cloud elements as needed, and proactive event triggered responses to security will entail ever smarter tools! The ability to process massive data and web logs in near real-time will power the heart of Automated Cloud Security Response & Tracking.
Why is this important for the CIO?
General purpose cloud constructs to run standard workloads on x86 platforms will also have their own level of security. This may well be a different defense strategy involved than protecting key structured and unstructured data repositories.
The fact that nation states are working collaboratively for Cybersecurity, provides an ideal opportunity for CIOs to link into that capability. National Cyberdefense will have access to the latest greatest wildest threats through linking into vendor response systems (RSA, Symantec, Trend, Qualsys etc) who are able to gather data from the users of their respective solutions.
One size clouds can be dangerous in a world where one needs to design for systems failing or being exposed to insidious attack. Although silos in IT are not the preferred approach, the idea of clear fenced off Cloud areas focused on the type of data they are operating on and their business impact analysis ratings should be seriously on the CIO agenda.
Cost savings may well need to be re-channelled to address your concerns with security. Work with the CSO/CISO to get the funding for securing the business assets. Work with government to have access to greater resources and possibly funding.