Defeating Cloud Pessimists: Virtual machine security case

Cloud opponents say you should take virtual machines out of the cloud because cloud security issues constrain their business. Worse, cloud opponents ' bleak vision of the security of a virtual machine may be deep inside the IT administrator.

The overly restrictive stance on cloud security is undermining the potential benefits of moving from a virtual environment to the cloud, which includes the flexibility of computing resources and the cost reductions associated with economies of scale and access to and from anywhere (or almost anywhere).

Cloud opponents ' assertions about virtual machine security sometimes seem justified. "Once you put the virtual machine in the cloud, you give up the ownership of the data" is a very common assertion about cloud security. Another worry for all IT staff is that "the cloud means unemployment." But the focus on cloud security is usually just fear of what you don't know.

You can use the following arguments to refute the arguments of the cloud opponents.

Argument 1: Cloud does not apply to all virtual machines

Cloud opponents make a false assumption based on their own position: cloud computing is an either-or proposition.

They are concerned about the security of virtual machine data and are not able to protect sensitive corporate assets, and others may pry into their data stores. But this assertion assumes that all virtual machines must be treated equally, which means that all virtual data must be equally protected, and this is no coincidence.

Best practices related to compliance and data security recommend creating secure islands that logically isolate sensitive data from unnecessary data.

By isolating the data in this way, the server and services are logically partitioned to help you decide which virtual machines to run in the cloud makes sense. Instead of delving into technical meetings related to encryption and authorization authentication, you can directly invalidate the objections of cloud opponents to the separation of sensitive virtual machine data.

In other words, if you don't care about the data in some virtual machines, the argument about cloud security is meaningless.

Point 2: Security technology also applies to the cloud

In the case of sensitive virtual machine data, virtual machine security technology is already being used to protect virtual machines in the cloud.

Protection of cloud-based Virtual machine technology (encryption and logon authentication), in the data transfer (in addition to transport security, there are host and hypervisor firewall) and even in the process (with the help of Hypervisor's own logical functions) have existed.

You can easily deliver a virtual machine to the cloud provider, enable the virtual machine's firewall, and only allow it to communicate with your network, providing a reasonable guarantee for the security of the virtual machine. The Kerberos protocol, for example, prevents the cloud vendor from prying into your virtual machine by preventing the user from logging on to the domain controller. The Advanced Encryption standard, such as securing virtual machine data in a virtual infrastructure, also applies to data stored in the cloud.

At the same time, virtual machine security tools dedicated to virtual environments can already be extended to use in the cloud. For example, VMware's VShield security platform provides firewalls, encryption, security, border protection, and anti-malware in both virtual and cloud environments.

Argument 3: You can establish a compliance alliance

Cloud opponents assume you don't know what might hurt your virtual machine. How do you know that cloud providers are properly fulfilling their commitments to you? How do you know that the cloud provider did not migrate your virtual machines to an unexpected, notorious country? How do you determine that the provider is following the protection strategy, especially if you are not allowed to confirm with them directly?

There are actually many ways to ensure compliance. There is no need to confirm compliance directly, just as the SEC does not audit all companies directly. They relied on credible third parties such as accounting firms and their auditors.

The information technology industry has embarked on appropriate federal audits to ensure that cloud providers complete the appropriate level of virtual machine security they are committed to providing. Audit Standard 70 and the newly released certification Business Standard 16 use a trusted third party in conjunction with a published process to complete a federal audit mission. The ISO ISO9001 standard defines policy and policy compliance. These strategies also provide a legal basis for the remediation of problems, and involve even more problems than the internal security office staff outside the Office building to visit personal sites.

By combining these auditing features with today's virtual machine security technology, you're on your way to solid cloud security.

The absence of security in the cloud fails because the assertion itself is technically not necessary. Cloud is not just a technology; Cloud is a service, so cloud security includes not just simple authentication, authorization, encryption, and access control. You must plan your cloud environment, provide the right virtual machines to ensure security, and learn about Third-party cloud security audits.

Using a non technical approach to ensure the security of virtual machine data is often more important than the strict focus on bits and bytes.