Security remains one of the biggest hurdles to cloud computing adoption, but RSA thinks the cloud could ultimately deliver better security than we have today.
Security remains one of the biggest hurdles to cloud computing adoption. According to IDC research, 51% of CIOs have concerns about moving forward with cloud computing because of security concerns.
EMC and its security arm, RSA, want to change that perception. In fact, the two believe that cloud computing, and specifically virtualization (the primary technology that powers the cloud), offer a great opportunity for technology vendors and IT departments to rewrite the rules of game and give themselves a powerful advantage over potential attackers.
For perspective on the latest developments in tech, you can also follow my Twitter feed: @jasonhiner
At EMC World 2010 in Boston on Tuesday, Art Coviello, president of RSA (the security division of EMC) and a couple members of his RSA team made a bold pitch, stating that security embedded in the virtualization layer can give us better security than what we have today.
"The perimeter defense just isn't working any more," said Coviello. IT has built too many bridges to allow users access in lots of different ways, he said, which has also provided attackers with too many different avenues to launch their assaults.
Coviello and his team want to rethink the model with virtualization and the cloud by integrating security in a much more granular way. The RSA crew explained some of the things that RSA offers today to make virtualization and the cloud more secure:
- Embed encryption into the stack at the server, storage, and network level
- Integrate RSA security products into VMware View on Vblock
- Use granular control to block the wrong people from getting in and to keep the most important data from leaking out
- Enable secure boot sequences for VMs
RSA also provided a peek at some of the things it's working on for the future. Dr. Ari Juels, RSA's chief scientist, said the best thing about the cloud is that it abstracts much of the messiness of server rooms and data centers. The danger is that "if you peel away the cloud abstraction layer, then you'll find something you didn't want to find," said Juels.
The other problem is that IT doesn't have as much visibility into the actual infrastructure, and that kind of visibility is needed for auditing and compliance. As a result, RSA labs is working on a technology called "Remote Checkups" to give IT more visibility into cloud services and data by offering a set of verification tools to run. Here are some examples of Remote Checkups that RSA is working on:
- Proof of Retrievability (POR) - A check to see if an uploaded file is still available from the cloud
- Remote Assessment of Fault Tolerance (RAFT) - A check to see if a file can survive a disc crash, or if it is spread across too many discs
- Verify Co-Residency Status - A check to see if a sensitive virtual machine (that's supposed to be on a dedicated server) is located on the same physical machine with other VMs
All of these things are prototypes and proof-of-concept items right now, and not part of a commercial product yet, but they provide an idea of the kinds of things RSA is working on to prepare for a future that will involve a lot more cloud computing.
The combination of RSA security products embedded into virtual machines and the remote checkups that RSA is developing for the future led Coviello to state, "We have all the raw material for getting it right this time."
Will that be enough to convince CIOs? It's still going to be a tough sell overall, and it will be for several years as enterprises continue to transition legacy business apps to more cloud- and virtualization-friendly formats. However, this might be enough to get some CIOs to buy into EMC's private cloud strategy.