Legal optimize

Deployment to the cloud: Logical servers and compliance agents

Cloud-based technologies can be a great solution for lowering costs and increasing elastic capacity, but not for every situation. In this TechRepublic post, IT guru Rick Vanover introduces the concept of logical servers.

Getting started with cloud technologies is no easy task. Traditional IT infrastructures of all sizes, “brick-and-mortar IT” if you will, are challenged to decide what can go to a cloud. FastScale Technology today released FastScale Composer Suite Enterprise Edition 3.0 for cloud technology deployment. FastScale Composer Suite is a tool that creates logical servers to help organizations abstract clouds. This is because a cloud can be used internally with a technology like VMware’s vSphere or externally with Amazon Web Services.

FastScale Composer Suite does a brilliant job in helping IT professionals rationalize this important distinction. Speaking recently with FastScale, vice president Jerry McLeod says, “Separate what you want to build from where you want to build it.” Simply put, that makes a logical server the transportable object to go to a cloud solution. I really like that explanation, as the application and functionality are what we are focused on.

The Composer Suite product does one better than most solutions out there in that a “just enough operating system,” or JeOS (pronounced juice), is used to deploy logical servers to the cloud. A JeOS build removes all the unnecessary components of a logical server to allow it to function only as required. This comes into play for an upcoming feature with the product. Though not yet available, FastScale is working diligently with compliance-software companies to bundle agents with the logical servers to go to the cloud.

The compliance agents will score a logical server's classification for regulatory compliance such as PCI, HIPAA, or COBIT. The compliance metric or score is calculated for the logical servers. Using JeOS architecture will aid greatly, as many unnecessary elements of the original operating system are not inherited to the logical server. Figure A shows a logical server being provisioned and the associated options selected. Figure A

Click to enlarge figure.

Logical servers with Composer Suite can be built in Linux and Windows. The current Windows support is for Windows Server 2003 logical servers, with Windows Server 2008 support forthcoming.

Overall, a tool such as Composer Suite makes cloud provisioning easier for organizations to work with a proof of concept or migration. I’ll be sure to follow up here on the forthcoming compliance agent that will be bundled into the cloud-hosted logical servers.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

9 comments
kazoobwc1
kazoobwc1

Is there any technologies out there in a cloud for IT project management?

Deadly Ernest
Deadly Ernest

These people obviously advocate using the cloud and cloud technology. Keeping that in mind, do they have all their corporate data and proprietary software development data out there stored in the cloud outside their own immediate control of the hardware? And if so, which one? And if not, why not, since they advocate that's what we should do? Sorry, just woke up in the middle of the night with a nasty feeling and saw this, thought I'd ask before taking my tablet and going back to bed - it's 4.06 am here.

aandruli
aandruli

Considering the need for compliance and security in most organizations, a physical server on-premises seems to be the obvious solution. Making a "virtual server" both secure and compliant will bring on a migrane before it can be done and then, still not convinced that it can be done. Most organizations will be waiting until they see a number of other organizations using and attesting to a virtual server, and any organization where both compliance and security are mission-critical will just have to take a pass at this product.

CG IT
CG IT

but I would have to play around with it on a HIPAA compliant system to see if it actually works. HIPAA has 3 categories of compliance for a computer network. Administrative, technical and physical. While this software product could try to show compliance with some technical and physical requirements, there are some that it just can not do. Asset tracking is one of them and the HIPAA asset tracking isn't simply knowing what hardware and software is on what workstation or server. Rather HIPAA asset tracking is really strict inventory management of computers that have protected data on it or is used to access protected data. I don't think the software can determine what is protected data therefore show compliance in protecting the data.

b4real
b4real

I have to think that something will have it soon. But, I wish I had a concrete example for you.

b4real
b4real

They score based on the configuration of the system and will be cloud-aware. I can tell you that these are in the works, but I can't reveal whom the compliance partner is.

CG IT
CG IT

a software product that can tell if a system is complaint with regulations that require protected information being secured on a need to know basis.

CG IT
CG IT

I've had the pleasure of working with wanted to see how we kept track of who was granted authority of access protected data, why they were granted access, when they accesses it, what computer they accessed it on, what they did with it, where it went, and whether we could be assured it wasn't changed, that it wasn't disclosed to non authorized people and finally, that those who were not granted access, could not access it. They went through written policies and procedures line by line and compared it with HIPAA regulations. They wanted documented proof [which happened to include both paper and electronic with electronic printouts]that we complied with HIPAA regulations all administrative safeguards, technical safeguards and physical safeguards. All 57+ areas that HIPAA has a specific safeguard for. One area they were really big on was who looks at who is accessing what, when, where, how and why, and how often that person reviews the records. They were also very interest in WAN security end to end. I don't know of any software program that does all that. So you can say it does, but I'll bet it probably only covers 1 small portion of the total regulatory requirements. Good Dog and Pony show but I don't buy it. Advertising hype might make it look easy but actual compliance isnt easy as simply having a software program do it all. It can't.

b4real
b4real

What do you think compliance auditors use?