By creichert | April 19, 2010
RSA Security Brief: Cloud Infrastructure Security – March 2010
In cloud environments, one of the most pervasive and fundamental challenges for organizations in demonstrating policy compliance is proving that the physical and virtual infrastructure of the cloud can be trusted – particularly when those infrastructure components are owned and managed by external service providers.
For many business functions commonly run in the cloud – hosting websites and wikis, for example – it’s often sufficient to have a cloud provider vouch for the security of the underlying infrastructure. For business-critical processes and sensitive data, however, third-party attestations usually aren’t enough. In such cases, it’s absolutely essential for organizations to be able to verify for themselves that the underlying cloud infrastructure is secure.
The next frontier in cloud security and compliance will be to create transparency at the bottom-most layers of the cloud by developing the standards, tools and linkages to monitor and prove that the cloud’s physical and virtual machines are actually performing as they should. Verifying what’s happening at the foundational levels of the cloud is important for the simple reason that if organizations can’t trust the safety of their computing infrastructure, the security of all the data, software and services running on top of that infrastructure falls into doubt. There’s currently no easy way for organizations to monitor actual conditions and operating states within the hardware, hypervisors and virtual machines comprising their clouds. At those depths, we go dark.
Cloud providers and the IT community are already preparing to address this problem. Groups of technology companies have banded together to develop a new, interoperable and highly secure computing infrastructure for the cloud based on a “hardware root of trust,” which provides tamperproof measurements of every physical and virtual component in the entire computing stack, including the hypervisor. Members of the IT community are exploring ways to use these measurements to
improve visibility, control and compliance in the cloud.
They’re collaborating on a conceptual IT framework to integrate the secure measurements provided by a hardware root of trust into adjoining hypervisors and virtualization management software. The resulting infrastructure stack would be tied into data analysis tools and a governance, risk & compliance (GRC) console, which would contextualize conditions in the cloud’s hardware and virtualization layers to present a reliable assessment of an organization’s overall security and compliance posture. This type of integrated hardware-software framework would make the lowest levels of the cloud’s infrastructure as inspectable, analyzable and reportable for compliance as the cloud’s top-most application services layer. With this unprecedented level of visibility, we believe clouds can develop the infrastructure-level policy controls and the end-to-end security attestations to handle even the most demanding security requirements for applications and data. Ultimately, this will enable organizations to take advantage of the cloud’s benefits in supporting a much broader range of business processes.
Read the full whitepaper here: EMC-RSASecurityBrief.pdf