Security must evolve to support the transition from virtualised datacentres to private cloud computing infrastructures,...
according to research firm Gartner.
In a report on this transition, Gartner predicts that by 2015, 40% of security controls in enterprise datacentres will be virtualised, up from less than 5% in 2010.
"For most organisations, virtualisation will provide the foundation and the stepping stone for the evolution to private cloud computing," said Thomas Bittman, analyst at Gartner.
"However, the need for security must not be overlooked or 'bolted on' later during the transition to private cloud computing," he said.
While the fundamental principles of information security remain the same, the way organisations provision and deliver security services must change, said Bittman.
Whether supporting private cloud computing, public cloud computing, or both, security must become adaptive to support a model where workloads are decoupled from the physical hardware underneath and dynamically allocated to a fabric of computing resources, he said.
Security policies that are tied to physical attributes, such as the servers, IP addresses, MAC addresses, and network isolation break down with private cloud computing, said Gartner analyst Neil MacDonald.
"For many organisations, the virtualisation of security controls will provide the foundation to secure private cloud infrastructures, but alone, it will not be enough to create a secure private cloud," he said.
Gartner estimates that by 2015, 70% of organisations will allow server workloads of different trust levels to share the same physical hardware within their own datacentre, except where explicitly prohibited by a regulatory or auditor compliance concern.
According to Gartner, security for private clouds must conform to six attributes: elastic services, programmable infrastructure, policies based on logical attributes, adaptive trust zones, separate configurability, and the ability to federate policies and identity.
Six necessary attributes of private cloud security
1. Elastic services
Security needs to be delivered as a set of services available 'on demand' to protect workloads and information when and where they are needed. As workloads are provisioned, moved, modified, cloned and retired, the appropriate security policy would be associated with the workload throughout its life cycle.
2. Programmable infrastructure
The security infrastructure the security services use must become "programmable from policy administration and policy decision points". This will enable information security professionals to focus on managing policies, not programming infrastructure.
3. Policies based on logical attributes
Security policies need to be tied to logical, not physical, attributes. More real-time context information must also be incorporated at the time a security decision is made to enable faster assessments of whether an action should be allowed or denied.
4. Adaptive trust zones
Security policies based on logical attributes must be used to create logical groups of workloads with similar security requirements and levels of trust to provide high-assurance separation of workloads of different trust levels.
5. Separate configurability
Strong separation of duties and concerns between IT operations and security needs to be enforceable within a private cloud infrastructure, which requires that virtualisation and private cloud-computing platform suppliers must provide the ability to separate security policy formation and the operation of security virtual machines from management policy formation and the operation of the other datacentre virtual machines.
6. 'Federatable' policies and identity
Ideally, private cloud security infrastructure should be able to exchange and share policies with other datacentre security infrastructure, and security controls placed across physical and virtualised infrastructure should be able to intelligently co-operate for workload inspection. Security policies designed to protect workloads on premises should also be able to be federated to public cloud providers.