Cloud Computing: Easing Some Of Virtual Security’s Complexities
February 6, 2012
While virtualization and cloud computing pretty much dominate the IT world, security and compliance with IT standards are neither trivial concerns, nor going away anytime soon. But in some ways, security is easier to accomplish in virtual systems than in physical
Take the task of tracking an inventory of IT assets in a data center, for instance. Catbird, a security and compliance technology vendor, has just introduced version 5.0 of its vSecurity suite of tools for securing virtual, cloud and physical networks. One feature of the product is Automated Asset Inventory: every time a new device is attached to the network — a server, a router or a printer — the inventory feature sees it and applies the appropriate security rules to it…
This is an example of something you can’t do in the physical world, said the company. You can never have a perfect inventory. Invariably, someone plugs in a printer without telling anyone or buys their own Wi-Fi router at Best Buy.
"These are the kinds of things that drive IT people crazy but are a huge security problem," said Catbird’s Tamar Newberger. "If you can’t monitor something, you can’t detect if there is a problem with it," she said.
According to new data from InformationWeek Research cloud progress is slowing down. At the start of 2011, the cloud survey found 60 percent more IT organizations reporting using cloud services: 31 percent vs. 18 percent the previous year. This year, there was a measly two-point gain, with 33 percent of respondents saying that they’re using cloud services. The easy stuff has been done. Integration challenges and security concerns are as real as they ever were.
Catbird’s vSecurity suite also delivers intrusion detection and prevention, network access control, vulnerability monitoring, compliance enforcement, policy management and configuration management. While that array of functions is comprehensive, the company said customers can use similar tools from other vendors if they prefer them and vSecurity 5.0 can integrate with them.
Security and compliance in virtual environments is a mixed bag, she added, because auditors don’t all agree on how or whether to certify those systems. Some auditors will certify a virtual environment but others won’t. Only last year did the PCI Security Standards Council issue a set of new guidelines for passing PCI audits for virtualized environments. PCI is the payment card industry standard for the security of networks that process debit or credit card payments.
The Security Standards Council issued a report January 20 advising companies that want to move PCI systems to the cloud that, even if they outsource those functions, they’re still ultimately responsible for compliance and for safeguarding their data. The council has certified widely used cloud computing platforms such as Amazon Web Services and Verizon’s Computing as a Service as PCI compliant.
But not all network standards-setting bodies have virtualization-specific rules. The National Institute of Standards & Technology, like PCI, has virtualization rules, but the Health Insurance Portability and Accountability Act (HIPAA) in health care does not, she said.
"So there’s a little bit of chaos going on," Newberger said.
But while compliance is important, compliance doesn’t guarantee security, she added. Newberger recently was given new Visa and MasterCard credit cards to replace ones she had, with new account numbers. She believes it was a result of a breach at Zappos.com, a shoe and apparel shopping Web site, which disclosed that personal data of 24 million customers was compromised in mid-January.
"I’m sure they were PCI compliant at Zappos. I’m sure they are all sorts of compliant," Newberger said. "What’s driving a lot of virtualization security thinking is actually compliance. Part of that is because there’s really not an empirical measure of security that we know of except compliance standards. And they are imperfect for sure."