Cloud Computing: Virtualized Execution Security
|
Virtualization is going mainstream and getting big. According to recent estimates, enterprises could utilize hundreds of millions of virtualized servers within the next few years. IT managers need technology to make their virtualized resources (data and applications) smart so that when these resources ‘wake up’ on a different virtual machine, they seek authorization to execute. |
Enterprise IT administrators have high expectations when it comes to opportunities in IT resource virtualization. And they should. On-demand access to virtual IT resources offers greater efficiency, reduced capital and staffing costs, and faster deployments. Yet, the virtualized world presents new security challenges as well. It is almost impossible to control where hosted resources – data or applications encapsulated in virtual hardware – physically reside. As a result, enterprises may inadvertently expose their sensitive resources to real threats.
Imagine that an IT manager contracts with a 3rd-party service to host an enterprise application on a virtualized server. Unbeknownst to the IT team, the 3rd-party service subcontracts with another service, moving the virtual machine and the enterprise application to a different location with a different legal jurisdiction and a different security profile. Depending on the situation, the enterprise is now possibly violating compliance rules or exposing themselves to data protection or other legal issues. Or, in a potentially worse scenario, imagine that same enterprise application was ‘hot-swapped’ to a rogue or imposter server, even one compromised by an attacker. Unfortunately, these scenarios are all too real.
Enterprise IT managers need technology to monitor and remotely control what happens in their virtualized worlds. In order to prevent the real and potential problems of unsanctioned hosting areas or rogue machines, they need the ability to create and enforce policies that determine where their software can execute. These policies must track activity, giving applications or virtual environments the capability to recognize when they are instantiated in a new environment and the ‘smarts’ to seek authorization prior to allowing execution.