The Virtual Data Center

I like lists. There’s no getting around my need to itemize everything, and surprisingly this is something that comes up in my every day life, every day. I even had a debate with someone recently on the proper way to structure pro and con lists: I prefer horizontal (pros listed first, then cons), she prefers vertical (pros on the left, cons on the right). Regardless of your pro/con list display preference, lists are critical to the way I think about things. This is most true when coming up with ideas about technology. Today’s list focuses on security in the cloud: How can we possibly tackle such a beast of a problem? Easy, with a list.

As I’ve talked about a good bit recently, security in the cloud is something we’re all currently thinking about and about to face head-on. But the phrase “securing the cloud” is a misnomer; we can no more easily secure the generic cloud than we can secure the entire generic internet. The cloud is made up of many, many pieces that start at a core center (the computing platform resources) and move out to the edge (the network). But that’s only one cloud; The Cloud (as we say) is actually made up of limitless smaller clouds where data is processed locally and then pushed out to another cloud for more processing.

With this in mind, let’s stop thinking about the insurmountable task of securing The Cloud and instead start looking at securing various parts of these micro-clouds. If we can secure the smaller parts then it will be easy to piece these together as we need (a jigsaw coming together if you will) to build out a complete cloud solution. So here’s the list: What smaller parts of the cloud should we start securing today?

• Secure the platforms: Microsoft, VMware, Citrix, hypervisors, virtual switching, segmentation of VM roles
• Secure the frameworks: Those wrappers around the platforms that control provisioning and resource management, tools that manage the data in and out of the cloud to the platforms
• Secure the network: Standard network security can be apply here but it needs to be managed in parallel with the other cloud delivery security solutions
• Secure the applications: The data receivers from the frameworks. Standard application security can apply here but should have the same requirements as securing the network (ie in context) and be paired with platform security
• Secure the endpoints: Doesn’t matter if an endpoint is a traditional client technology or another cloud (remember the good ol’ days of extranets? Yeah, let’s start calling them extraclouds!), anything responsible for seeding data into or receiving data out of the cloud needs to be secured and trusted
• Secure the edge: Just like the endpoints the edge needs to be secured to validate and protect data as it’s coming in and out; the Cloud Sentry
• Secure the Cloud<->Cloud connections: This is really an amalgam of edge and client security, but unlike the model today where we secure each independently, the Cloud<->Cloud security controls need to validate all data and connections in context to make sure that the data that’s supposed to be in the cloud is correct (it may be secure data before this point but now we need to look at it in context of these two clouds talking to each other)

This nice thing about breaking these items out in a list is that no single group has to tackle everything. The cloud providers are in the unique place where they can become the Secure Cloud Project Managers, but even then they’re relying on other groups to fulfill their end of the bargain by supplying secure solutions from each of their areas of expertise. Divide and conquer!

There’s no way that securing the giant cloud can be successful if we try to do it all at once and with only one solution. We need multiple solutions working together, and to get to those solutions we need to enter the first two phases of tackling a project: Define and Design.

Now that I’ve done the work of Defining the smaller, bite-sized categories for you, let’s go ahead and start securing each of those categories. Ready? ’cause this is going to take years…