I attended the Gartner Data Center Conference in Las Vegas in December to gain some insights about how enterprise IT professionals are viewing virtualization and cloud computing. While I dislike Las Vegas in general, I was able to visit the Pinball Hall of Fame (a must-see if you’re a pinball aficionado). From a security perspective, I had a couple of “aha” moments listening to the Gartner analysts and attendees about how they are approaching cloud computing.
Virtualization is Running Rampant: The VMware session overflowed the room, and most sessions dealing with virtualization and storage fabrics were packed with attendees. The session on virtualization security highlighted that there is some disconnect between the IT folks dealing with applications & storage and those dealing with security. The virtualization train is running full steam ahead, but the security teams are running to catch up and come to grips with the security implications of virtualization. The old perimeter security model is being stressed as applications VMotion around the VMware environment (watch out for that sensitive app accidentally landing in the DMZ). The security implication: you better architect your virtual data center carefully and think about VLAN’s with Distributed Virtual Switches.
Private Cloud Computing is the Enterprise Short-term Response: CIOs are getting asked by CEO’s to “get some of this cloud stuff to lower costs”, and the CIOs are responding with, “Yes, we’re doing that today, and it is called a private cloud”. Much of the focus of the Gartner event from vendors and Gartner analysts was around private cloud computing. Everyone seemed to have their own definition of what constituted a private cloud with marketers and enterprise IT exploiting the sexy concept de jour that is cloud computing. Some cloud purists might be uncomfortable with this, but enterprise IT and vendors are jumping on the cloud bandwagon with the “private cloud” concept. Much of what I saw at the Gartner Data Center Conference was an aggressively virtualizing data center, but you can get more organizational mileage by saying “I got myself a private cloud.”
Public Cloud for Storage: One cool application of SaaS/PaaS/IaaS was provided by Matthew Merchant (CTO) from General Electric in his session “Cloud Storage @ GE”. GE created an inhouse application take care of backup that used the public cloud storage vendors such as Amazon AWS. They were able to slice 40% to 60% out of the cost of backup using the public cloud – very cool stuff. The security implication: encrypt the data to meet your compliance obligations.
Public Cloud for Resiliency & Disaster Recovery: John Morency from Garter had a very cool session titled “Building Resiliency via Colocation and the Cloud” that touched on the use of the public cloud as a “warm spare” or “cold spare” failover site for Disaster Recovery (known affectionately to the cognoscenti as “DR”). One excerpt from Mr. Morency’s pitch that I found enlightening was “By 2014, 15% of large enterprises will use a combination of private infrastructure and public cloud services in order to improve recovery and continuity readiness.” DR is a sweet application of public cloud computing to lower costs and increase flexibility. The security implication: enterprises need to consider securing the cloud instances with solutions like Trend Micro Deep Security 7.0 for servers (a shameless promotion for a sweet product).
Cloud for Test & Development: Something I heard from Gartner analysts in the past is that the public cloud is a great place for test and dev for applications, but those test and dev environments are using real data that needs to be secured. When I speak to Trend Micro’s IT security customers about the cloud, they frequently say “We’re not using it.” But when you ask if some app developers might be going directly to Amazon EC2, the security folks grudgingly nod their heads. The security implication: test and dev environments in the public cloud may need securing when real data is being used.
IT Security in the Cloud World: One comment from Cameron Haight and Milind Govekar’s pitch titled “Cloud Computing Management — Making Sure Mountains Aren’t Hiding in the Mist” resonated with me from a security perspective. “Cloud computing is not the death knell for IT; in fact, it’s an opportunity to reinvigorate IT’s service delivery role, provided appropriate updates are made with respect to processes, tools and organizational structure.” This is especially relevant in world of IT security; no one else will look out for the corporate crown jewels.