Chuck's Blog

To Begin With

Ask any audience what the #1 concern around cloud is, and you'll often get the answer in unison: it's security. Sam Curry of RSA has an interesting perspective here.

On a more pragmatic note, so many internal virtualization efforts are now starting to tackle the applications that really matter.

And these business-critical apps demand the very best in performance, protection, management -- and security.

If you're close to the technology, this can be a frustrating state of affairs, as the potential level of security in fully virtualized (or cloud-like) environments can be far more simpler and effective than the traditional physical approaches that are so familiar today.

The reason is simple: the virtual machine provides an incredibly convenient and powerful boundary to define and enforce policy across the infrastructure, and -- in some cases -- provide what the applications can not easily do for themselves.

Some of us see the current industry transition to a virtualized model as a once-in-a-career opportunity to create environments where security is built in vs. bolted on.

Trying To Keep Things Simple

I often get accused of oversimplifying complex topics, and this one is no exception.

For me, the security/GRC discussion boils down into three key areas:

• a rich set of enabling technology for the required functions
• robust process and workflow around the enabling technologies
• monitoring and reporting to make sure the processes and technologies are working as intended

The last topic, in particular, seems to be the magic bullet as far as I can see.

Specifically, put a robust and visual integrated GRC dashboard in front of people that assures them that everything is under control, and it's amazing how quickly perceptions can change.

The RSA Solution for Cloud Security and Compliance

The centerpiece of the new RSA capability is the Archer eGRC dashboard -- which now has been dramatically extended to understand VMware environments (and their associated infrastructure) in considerable detail.

BTW -- if you're not familiar with Archer, or the whole topic of GRC, I'd encourage you to check this out.

The Archer framework can now use its knowledge about industry compliance standards (e.g. PCI-DSS, HIPAA, FISMA, etc.) to drive specific audits and workflows in both the virtual and physical infrastructure.

Using a broad library of industry policies and regulations as guidelines, Archer eGRC now monitors and manages the state of over 100 VMware-specific controls and settings that affect security and compliance.

This VMware-specific knowledge now joins the vast library of other domains that Archer already understands: networks, applications and other aspects of the IT environment.

Behind the Archer GRC management centerpiece, there's much more -- for example, integration with the popular RSA enVision SEIM (security event information management) platform.  Advanced authentication and access control.  Integration with other popular components of the security and GRC ecosystem.  Advanced work with Intel to create a trusted hardware root.

And even some strong encryption if you need it :-)

Unpacking The Pieces

Chad does a good job of describing one aspect of the RSA Solution -- the automatic checking of various settings in a virtual landscape.  And for the virtual administrator who has to keep all this stuff in check, it's great.

But there's a lot more to the story.

For example, the RSA solution drives coordinated activities across multiple roles in the IT, security and compliance domain: everything from the people who are configuring and installing the resources to the person who has to meet with auditors on a regular basis.

A key part of the solution is the integration with RSA's enVision SEIM (security event information management) platform, which in turn monitors all manner of events that affect security and compliance, including alerts from the HyTrust platform, or RSA's own DLP (data loss prevention suite).

All architected for today's fully virtualized environments, and tomorrow's clouds.

If you've got a moment, I highly recommend this short video showing the dashboard view of the solution.  It'll give you a flavor for what it does at an administrative level.

And A Very Cool Technology Preview

Earlier this year, Intel, VMware and RSA showed some very cool technology at the RSA Conference.  Intel's new capability, known as "TXT", provides for a "hardware trusted root": the processor can successively verify and validate that the rest of the infrastructure can be trusted: server, storage, network, hypervisor, applications, etc.  Not everyone understood what we all were doing, but a few people did.

In addition, at EMC World, we demonstrated using VPLEX to dynamically relocate multiple VMs over considerable distances non-disruptively.  If one aspect of cloud is pooling, we'll all want to build larger and larger pools that incorporate greater and greater distances.

These two enabling technologies come together and use the RSA solution to control the movement of VMs in a global cloud.  Individual VMs are tagged.  The RSA/Archer solution uses these labels to monitor and audit the relocation of workloads and associated data.

The result is pretty cool: properly tagged workloads aren't moved unless the platform is both trusted and within the same country, using the FISMA standard.  Thanks once again to Chad for making this video available (no sound, just slides).

If that doesn't get your cloud geek juices flowing, nothing will :-)

Enabling Partners

All this advanced technology is nice, but without smart people who can deploy and operate it (whether that's in a traditional enterprise setting, or delivered as an external service) adoption will be slow.

A key component of the offering was unveiled last week at the XChange conference, where RSA announced a new, enhanced partner program (RSA SecurWorld) that significantly raises our investment in the success of integrators, consultants -- and service providers.

Indeed, as I work more and more with service providers of all sizes and shapes, security is turning out to be a key differentiator for their offerings.  Not only is security-as-a-service an incredibly popular offering, but being able to demonstrate GRC management and control at the RSA Archer level kind of ends the discussion when prospective clients are concerned about these issues.

The Bottom Line

The wholesale move to virtualization and private clouds isn't really about doing what we did before a bit cheaper -- it's really about a better way to deliver IT services.

So when it comes to security and GRC, it shouldn't simply be about doing what we did before, it should be about doing things better.