VMworld 2014: Toward a Secure Hybrid Cloud
VMware and Intel developing secure hybrid cloud solution that addresses data residency, encryption, and efficiency challenges.
By now, it's widely accepted that just about any enterprise could benefit from some form of cloud computing. For organizations without the resources to build their own private clouds yet unwilling to put all their trust in the public cloud, hybrid cloud deployments can be an effective compromise. The hybrid cloud comes with its own challenges, however. In the VMworld 2014 panel session "Deploying Secure Hybrid Cloud; Key Learnings and Solutions," VMware and Intel representatives laid out a three-pronged approach to addressing those challenges.
VMware tackles security and compliance challenges of hybrid cloud
The complexities of hybrid cloud deployments, which are often spread across multiple providers and distributed across multiple geographic regions, can make security and compliance especially difficult. At the same time, tightening data privacy regulations and a string of high-profile data breaches in recent years make security and compliance critical.
When it comes to virtualizing regulated workloads, several key needs must be met. For maximum efficiency, hybrid clouds and the software defined data center need a selection of different trust levels so that regulated and unregulated workloads can be run in the environments most suited to them. In regulated industries, the security controls, configurations, and capabilities of "secure" VMs may need auditor validation and will need to produce an audit trail to prove compliance. Consumers and providers—in the case of the enterprise, the end user and the backend IT staff—will need to be separated and user access privileges granted and enforced accordingly. And best practices must be developed and implemented for all the processes needed to keep sensitive data in a hybrid cloud secure.
VMware's current approach to helping customers achieve security and compliance is primarily educational, as Jerry Breaud, VMware senior strategic alliance manager, explained at the start of the panel. VMware creates architecture frameworks that incorporate VMware's guidance for compliance and has those frameworks evaluated and verified by third parties. The vendor also works closely with its partner ecosystem to provide training and resources as needed.
The effort doesn't stop there, however. VMware and Intel are devising a new set of capabilities to deliver comprehensive security to VMware hybrid clouds. According to the vendors, the collaboration will provide:
- Protection for VM payloads
- Visibility and reporting
- VM segregation and data location control
- Consistent security policies across the entire hybrid cloud
- Workload monitoring across multiple clouds
Secure hybrid cloud through trusted pools, geo-tagging, and VM protection through encryption
The first part of the VMware/Intel collaboration will provide a way to maximize efficiency without sacrificing security. The "Trusted Pools" concept establishes and propagates security control attributes across certain VMs and validates them under a system the vendors call Platform Trust. This will allow organizations to pool their trusted resources and separate them from untrusted ones. Once that is in place, organizations can implement policies to determine where their workloads will run: on trusted resources if the workloads are regulated or sensitive, for instance, and on untrusted ones if they aren't. As the cherry on top of this particular sundae, the entire process will generate data for audit logs and compliance reporting.
Trusted Pools takes care of whether workloads should be handled by more secure VMs, but what about whether certain workloads can enter or leave certain geographic regions? Compliance with data residency regulations can prove tricky for enterprises with very distributed cloud deployments. The second aspect of the VMware/Intel secure hybrid cloud collaboration addresses this with a geo-tagging feature. In short, hardware is tagged with a unique descriptor in the TPM that can identify the machine's location. Then, as with the Trusted Pools feature, organizations can develop and implement policies to control where workloads can be run. The tags can be changed if the servers' locations are changed, enabling more seamless enforcement of location-based security policies.
Of the three key features Intel and VMware are working on, these location-based security measures are the farthest along in development. In fact, security vendor, VMware partner, and Intel collaborator HyTrust now offers them as "Boundary Controls."
Encryption is the final piece of the secure hybrid cloud puzzle, but not just any encryption. Cloud encryption cannot be trusted if service providers have access to the encryption keys. The encryption strategy VMware and Intel are developing gives tenants exclusive control of the encryption keys and encrypts data at rest and in motion, all the way up to execution. But VMware and Intel go a step farther than most other cloud encryption providers by tying decryption capabilities in with the security status of the target servers themselves. Decryption keys will be wrapped in a layer of code to validate security at the destination. In other words, data will only be decrypted if it arrives at a "trusted" server, providing an extra boost of security for sensitive or regulated information.
VMware and Intel's goal is to provide a set of building blocks that enable customers to build the most secure hybrid cloud possible. Their approach to doing so is a bottoms-up one: propagation of hardware-based "trust," in the vendors' parlance, up through the stack to the software layer. This consistency is especially critical in enterprise clouds, which are expanding and growing more complex by the day. Also vital is the ability to write and push out policies for automated enforcement, another area on which VMware and Intel are strongly focused.
VMware and Intel's secure hybrid cloud solution is still a work in progress, as panel speaker Raghu Yeluri, principal engineer and lead security solutions architect, Data Center & Cloud Products Group at Intel, freely admitted. But the strategy is sound and may yield innovative new ways to cure compliance and security headaches.
Photo courtesy of Shutterstock.
Jude Chao is managing editor of Enterprise Networking Planet. Follow her on Twitter @judechao.