Virtualization

RSA says cloud and virtualization offer IT a do-over in security

Security remains one of the biggest hurdles to cloud computing adoption, but RSA thinks the cloud could ultimately deliver better security than we have today.

Security remains one of the biggest hurdles to cloud computing adoption. According to IDC research, 51% of CIOs have concerns about moving forward with cloud computing because of security concerns.

EMC and its security arm, RSA, want to change that perception. In fact, the two believe that cloud computing, and specifically virtualization (the primary technology that powers the cloud), offer a great opportunity for technology vendors and IT departments to rewrite the rules of game and give themselves a powerful advantage over potential attackers.

For perspective on the latest developments in tech, you can also follow my Twitter feed: @jasonhiner

At EMC World 2010 in Boston on Tuesday, Art Coviello, president of RSA (the security division of EMC) and a couple members of his RSA team made a bold pitch, stating that security embedded in the virtualization layer can give us better security than what we have today.

"The perimeter defense just isn't working any more," said Coviello. IT has built too many bridges to allow users access in lots of different ways, he said, which has also provided attackers with too many different avenues to launch their assaults.

Coviello and his team want to rethink the model with virtualization and the cloud by integrating security in a much more granular way. The RSA crew explained some of the things that RSA offers today to make virtualization and the cloud more secure:

  • Embed encryption into the stack at the server, storage, and network level
  • Integrate RSA security products into VMware View on Vblock
  • Use granular control to block the wrong people from getting in and to keep the most important data from leaking out
  • Enable secure boot sequences for VMs

RSA also provided a peek at some of the things it's working on for the future. Dr. Ari Juels, RSA's chief scientist, said the best thing about the cloud is that it abstracts much of the messiness of server rooms and data centers. The danger is that "if you peel away the cloud abstraction layer, then you'll find something you didn't want to find," said Juels.

The other problem is that IT doesn't have as much visibility into the actual infrastructure, and that kind of visibility is needed for auditing and compliance. As a result, RSA labs is working on a technology called "Remote Checkups" to give IT more visibility into cloud services and data by offering a set of verification tools to run. Here are some examples of Remote Checkups that RSA is working on:

  • Proof of Retrievability (POR) - A check to see if an uploaded file is still available from the cloud
  • Remote Assessment of Fault Tolerance (RAFT) - A check to see if a file can survive a disc crash, or if it is spread across too many discs
  • Verify Co-Residency Status - A check to see if a sensitive virtual machine (that's supposed to be on a dedicated server) is located on the same physical machine with other VMs

All of these things are prototypes and proof-of-concept items right now, and not part of a commercial product yet, but they provide an idea of the kinds of things RSA is working on to prepare for a future that will involve a lot more cloud computing.

The combination of RSA security products embedded into virtual machines and the remote checkups that RSA is developing for the future led Coviello to state, "We have all the raw material for getting it right this time."

Will that be enough to convince CIOs? It's still going to be a tough sell overall, and it will be for several years as enterprises continue to transition legacy business apps to more cloud- and virtualization-friendly formats. However, this might be enough to get some CIOs to buy into EMC's private cloud strategy.

About

Jason Hiner is the Global Editor in Chief of TechRepublic and Global Long Form Editor of ZDNet. He is an award-winning journalist who writes about the people, products, and ideas that are revolutionizing the ways we live and work in the 21st century.

4 comments
bboyd
bboyd

Soon enough to hang themselves. Isn't that list of utilities a set of basic tasks. Maybe hardened security OS kernels and high order encryption systems would make me think they had what it takes. Also being granted a proper EAL rating would sway some of us cynics. How about "The presence of security protections may even be taken for security itself. For example, two computer security programs could be interfering with each other and even cancelling each other's effect, while the owner believes s/he is getting double the protection." A list of precautions is not a formal security proof.

Jaqui
Jaqui

Sorry, but information with stringent security requirements is information that CANNOT be trusted to the cloud, ever. you want me to trust some other party with your personal credit information because my ecommerce site is in the cloud? I don't want it for my own information.

tbmay
tbmay

I just can't get comfortable with anything sensitive in the "cloud." The risks are too great. I use the "cloud" for some services but they're services that don't have a sensitive element to them. Nor or they services that can't be done without for awhile.