Security and Compliance in the Age of Cloud
Enterprises are in the midst of a transitioning from on-prem data centers to public and private clouds. Initially, the security and compliance frameworks used in these clouds were adopted from well-known conventional security instrumentation and evaluation techniques. More recently however, we are seeing the emergence of a new model for cloud security and compliance that is markedly different from the classic IT approach.
The dynamic nature of clouds has made security that is tied to hardware constructs such as servers, networks or disks impractical. Instead security is being increasingly tied to virtual entities such as virtual machines, overlay networks and virtualized storage. Classic security has made heavy use of identifiers such as IP addresses, MAC addresses or system SIDs for access control and audit trails. The decoupling of physical and virtual infrastructure has made these identifiers increasingly ineffective as proxies for security correlation and analytics. The ephemeral nature of cloud entities such as server-less functions or short-lived containers means that any effective security response will require correlation over identifiers and other dependency metadata, that are resilient to cloud dynamics.
Clouds also provide a set of distinct advantages for security. Unlike classic data centers, clouds have rich APIs and clearly defined state models that can be used for defining security, as well as verifying compliance. By capturing relationships between entities and identifiers at provisioning time and tracking them over the life cycle of an application, we can get a comprehensive audit trail that describes intention, abstractions and cross stack relationships.
In this paper, we show a practical example of how this approach allows us to achieve security and compliance for a cloud application that is regulated under Payment Card Industry (PCI). At provisioning time, the application blueprint provisions logical containment (isolation) and an application firewall, to allow intended behavior and to realize vulnerability protection, for flows across the application interface. This context is captured, preserved and presented though a trustworthy tagging mechanism in the hosting platform, so that all relevant abstractions (i.e. pods, segments, containers, VMs, security agents, and virtual security appliances) would have ready access to the same contextual information about the application, its regulatory classification and its intentional behavior.
At run-time, this intentional context enables both automated constraint of intended application behavior and prevention of the exploitation of known vulnerabilities in the application instance. Should a violation of security policy occur (during an attack), this same context, referenced in log entries, as they are written, immediately conveys actionable information to the triage, mitigation and remediation workflows triggered by the violation alert.
More generally, this work demonstrates that by both exposing intentional context and expressing security policy on logical contextual abstractions, rather than brittle infrastructure identifiers, we enable security policy, response and analytics to be effective in the highly dynamic cloud environment. While the move to the cloud requires different security architecture, we believe in the end, it is possible to build equally, or in fact, even more secure applications in public clouds, than we can build on premises today.
Dennis R. Moreau
Dennis is currently a Senior Engineering Architect at VMware, working on leveraging application and platform context, to realize highly resilient, scale-able and adaptive security and compliance, in clouds and software defined data centers. He has worked with OASIS, the National Institute of Standards and Technology (NIST), the U.S. Department of Defense (DoD) and the Mitre Corporation on the development of security/compliance information and automation standards. Dennis is highly experienced in designing security/compliance management solutions. Prior to joining VMware he was a Senior Technology Strategist at RSA specializing in utility computing security, advanced threat technologies and trust modeling. He was also a co-founder and the CTO of Configuresoft (acquired by EMC) and the CTO for Baylor College of Medicine. He holds a doctorate in Computer Science and has held research and faculty positions in Computer and Computational Sciences. His research has been sponsored by the National Aeronautics and Space Administration, Caltech/Jet Propulsion Laboratories, the US Department of Commerce, the National Institutes of Health, the National Library of Medicine, AT&T Bell Laboratories and IBM. He is a frequent presenter at security conferences globally.
Guido Appenzeller
Guido Appenzeller is currently CTO Cloud & Networking at VMware where he is driving the companies transformation towards Public Clouds and SaaS. Before VMware he co-founded Big Switch Networks and led the company for 4 years as CEO. Previously Guido founded and was CTO at Voltage Security (acquired by HP) and helped grow it to profitability and over 1,000 Enterprise Customers. From 2008 to 2010 Guido was a Consulting Assistant Professor at Stanford University where he led team that developed the OpenFlow standard. Guido was named a top Technology Leader on the MIT TR35, a Technology Pioneer by the World Economic Forum and one of the 100 Most Intriguing Entrepreneurs by Goldman Sachs. He holds a Ph.D. from Stanford University and M.S. (Diploma) from the Karlsruhe Institute of Technology.
Phone: +420 737 215 220
E-mail: