New features that will ensure the integrity of logs generated by VMware’s new vCloud Director are already under...
development, according to David Ottenheimer, an independent security consultant and vCloud Security and Compliance Architect who undertakes some work for VMware.
Speaking at VMworld 2010 in San Francisco today, Ottenheimer argued that the enhancements are necessary because IT professionals charged with ensuring compliance cannot assume that public cloud providers will get security right.
Citing a long list of outages from major cloud providers including Microsoft and Google, he warned delegates to remind themselves that these companies were not too big to fail in the cloud, and that the same must be assumed of their ability to deliver security.
“When you get to a cloud you have this blank page for security but you don’t have transparency the way you used to,” he said. “This is one of the cons of the cloud: it is unpredictable. You are looking at an opaque environment. How do you audit them [a cloud provider] or ask if they have been audited?”
Ottenheimer said security professionals need not be unduly worried about this situation, as it generally takes a while before any industry or device matures to the point at which safety controls are ubiquitous and powerful.
In the interim, he recommends judicious application of existing controls, like ISO 27002 and the European Network and Information Security Agency’s (ENISA’s) framework, to cloud security. “Compliance is all about checklists,” he said. “ISO 27002 gives you a pretty good idea of what is going on in a cloud environment.”
“A lot of what you do [to secure the cloud] is the same stuff you to already,” he said, urging attendees to think of cloud security as applying the same processes to different inputs, a bit like the human body applies the same digestive processes to different foods.
But Ottenheimer also counselled that special attention is needed in some areas, especially remote access.
“In the cloud remote access is more important because so much of what happens with virtualisation relies on it, while virtual private networks extend your network so the endpoint becomes more important.” Making this more complicated is the fact that virtualisation often sees IP addresses reused and shared, which means it is harder to trace the source of attacks.
That problem has led Ottenheimer to work on enhancements to vCloud Director that will preserve log files to ensure their retention, integrity, confidentiality so they provide the best possible record of access to different virtual machines, be they in a private or public cloud.
Simon Sharwood travelled to San Francisco as a guest of VMware.