Size Matters - Micro Clouds and Engineered Systems
A Resurgent SPARC platform for Enterprise Cloud Workloads

Cloud Security Maneuvers - Governments taking Proactive Role

In a previous blog entitled VMworld 2011 - Practice Makes Perfect (Security), I discussed the notion of preparing actively for attack in cyberspace through readiness measures and mock maneuvers.

This is happening at the level of nations. ENISA in Cyber Atlantic 2011, shows how large groups/blocs of nations are working on not only increasing their capabilities, but practicing in concert to see how global threats can be prevented or isolated in cyberspace.

This is at least as intensive as a NATO exercise. Languages, cultures, varying capabilities, synchronization of Command & Control capabilities as well as reporting and management at national levels.

APTs (Advanced Persistent Threats) will be the target in this exercise. This is a current and relevant threat with credible measures needed urgently. APTs can be used by organized crime or state sponsored attacks to circumvent even the most secure installations - nuclear/military typically. It is critical that measures and controls are in place at a national level.

Hopefully they will also cover the very sensitive area of reporting to the press, organizations that are being targeted or potentially targeted as well as practical measures that everyday folk like you and I can implement quickly and easily. Remember security starts with people!

 

What does this all Mean for Virtualization and the Cloud?

Clouds span organizations, nations, borders and cultures. We need to think in equal if not greater terms when thinking about security. Security in one area does not guarantee the security of the entire cloud or the communities that they serve.

There is of course a fine line in skirting personal privacy rules, in place for very good reasons of personal liberty and democratic thinking, and protection of assets in the Cloud from malicious attacks or just plain stealing of intellectual property.

Governments should also not be excluded. It is equally important that an individual has privacy rights maintained without the threat of big brother from other states or indeed your own government. This is an area that every individual needs to be vigilant against. Controls within Government also need to be available to the individual should there be patent infringement without a court order authorizing surveillance. Even that needs to be double-checked!

This does of course also strengthen the case for private clouds, or at least closed community clouds. This provides another buffer perimeter to attack, and ensures the ability to fence off networks from outside unwanted intruders.

This involves security by design. These measures to be able to isolate Cloud elements as needed, and proactive event triggered responses to security will entail ever smarter tools! The ability to process massive data and web logs in near real-time will power the heart of Automated Cloud Security Response & Tracking.

 

Why is this important for the CIO?

Competitive advantage may not be the only reason for charting a hybrid course for your clouds. Fit for function micro-cloud capabilities (e.g. focused on only providing Database-aaS, or Middleware-aaS) will ensure best in class features, and will ensure that there is an island of Cloud capability with the required security measures within the overall Corporate Cloud Strategy.

General purpose cloud constructs to run standard workloads on x86 platforms will also have their own level of security. This may well be a different defense strategy involved than protecting key structured and unstructured data repositories.

The fact that nation states are working collaboratively for Cybersecurity, provides an ideal opportunity for CIOs to link into that capability. National Cyberdefense will have access to the latest greatest wildest threats through linking into vendor response systems (RSA, Symantec, Trend, Qualsys etc) who are able to gather data from the users of their respective solutions.

Further, the ability to liaise directly with the heads of global organizations providing briefing information, as well as joint public response measures with the media will also enable a "soft landing" effect on global equity markets based on their fear of the effect of a wide-spread cyber attack. I do feel that Government should also provide a level of funding for corporate cyber security to ease the burden. Time will tell on this one!

One size clouds can be dangerous in a world where one needs to design for systems failing or being exposed to insidious attack. Although silos in IT are not the preferred approach, the idea of clear fenced off Cloud areas focused on the type of data they are operating on and their business impact analysis ratings should be seriously on the CIO agenda.

Cost savings may well need to be re-channelled to address your concerns with security. Work with the CSO/CISO to get the funding for securing the business assets. Work with government to have access to greater resources and possibly funding.

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.