Wednesday, February 12, 2014

GRC in the Cloud - Control + Visibility = Trust – Some examples from VmWare and RSA

Here’s the basic problem:  Information in the cloud is constantly on the move – that’s the side effect of cloud’s basic benefits of resource utilization and service availability.  This mobility, of course, is what drives security and GRC people crazy because it implies we don’t have visibility into where our information is, or control over where it goes, how it is used or who accesses it.

At EMC we’ve netted out the cloud trust challenge in a simple equation: Control+ Visibility = Trust.  (See Chuck Hollis’s blog for more on this and the EMC Cloud Trust Vision Paper that describes it.)
We believe it can be that simple and here’s a few examples that show you why.
Assertion:  Hybrid cloud GRC platforms can gain unprecedented levels of visibility and control by harvesting from monitoring systems to ensure that the hybrid cloud infrastructure conforms to security specifications, and that information is controlled in compliance with policies and regulations.
Proof:  Let’s look at how virtualization facilitates dynamic GRC at the infrastructure level.  Take Vmware’s vSphere™ platform - VMware vShield security suite includes virtual firewalls, logical zoning and edge network security and new capabilities are being integrated to enhance information security.

Example # 1 Information-centric visibility and control:
RSA and VMware are integrating policy libraries from RSA DLP into the VMware vShield solution to discover sensitive or regulated data and create information-centric zones of secure IT resources designed to comply with the most exacting security and compliance standards.  This is key: now we have embedded intelligence to manage and monitor the most heavily regulated data types, including personally identifiable information, payment card information and patient health information. This approach uses secure zones to automate the control and monitoring of sensitive, valuable information – which means that organizations can now safely move mission-critical business processes to a more efficient cloud model.

Example #2 Secure multi-tenancy:
Now let’s look at the oft-discussed multi-tenant risk – how can we ensure secure partitions so that one tenant’s information in keep private and protected from another tenant’s?  The hypervisor-level firewall in the VMware vShield platform is engineered to enforce proper segmentation and trust zones for applications. In private clouds, this means organizations can set up virtual firewalls so that applications with different security requirements – for example, production and testing, finance and sales – can be hosted in the same virtual datacenter. In a cloud service provider environment, VMware vShield solutions enable different tenants to share IT resources safely by creating logical security boundaries that provide complete port group isolation.  This means that organizations can safely process mission-critical information in multi-tenant environments.

The Future: Adaptive Analytics
So, virtualization is giving us a new level of continuous controls monitoring.  Many of us believe that we will see adaptive analytics employed in these systems will manage information risk in a highly adaptive way.  With these examples we are already seeing the focus in cloud trust a shift more and more to information and identities – as we manage some of the highest profile risks – ensuring that information is protected in accordance with its sensitivity, and that only authorized identities, machines and people, can gain access to it.

So, the Call to Action: learn more about hybrid cloud architectures and how virtualization can provide the level of trust your organization needs to make the move to cloud computing.   Talk to your IT architects and CSPs - and keep asking the fundamental questions around the basic equation:  how can you show me that Control+ Visibility = Trust?

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.