We have all heard the terms Virtualization and Cloud. Yet we don't necessarily equate either of those two words with a very important term, Security. In some respects the phrase “Cloud Security” or “Virtualization Security” generates an oxymoron, i.e., an incongruity.
Each one of us involved in law firm IT is very aware of what types of information could potentially be held on the firm’s computing resources. Examples include, but are not limited to, the end users’ "smart-phone" and SAN infrastructure contained in your physically secure data centers. The data may consist of everything from employee/client Personally Identifiable Information (PII), firm or client Intellectual property (IP), financial data, etc. Many such categories of information, especially the client data, are subject to regulatory compliance under state/federal statutory law.
As the latest ILTA Technology Survey, which Jim McCue so elegantly blogged about on November 29, 2011, shows law firms (57% this year) are embracing virtualization. The law firm at which I am the IT Director is part of that 57% statistic and has been actively "virtualizing" our server/storage infrastructure for more than three years now. The past year has seen a rapid increase in this process as part of our build out of a new data center (stay tuned for future blog posts on this project) and the disaster recovery/business continuity replica.
Cloud computing, - be it public, private or a hybrid - is a realm warranting evaluation from a security perspective because we are all probably experiencing increased pressure from management and/or clients to migrate data to the "cloud" model, utilizing either the SaaS, PaaS or IaaS service model as defined by NIST (http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf).
At our firm, we began a project that would assess what is available from vendor offerings dealing with virtual machines (server or desktop) in on-premises (private cloud) or public cloud environment. Assurance of the highest level of security was the main focus.
We determined that, to be "secure," both the “virtual disk file” (.vmdk), including sub-files, used and any attached “Virtual Machine File System” (VMFS) volumes need to be encrypted while at rest or in transit.
In this initial product “blog”, I will give a general description of on that we have been actively pilot testing from a new start-up named HighCloud Security (HCS). HCS provides virtual machine security in any of the three above- mentioned variants of “Cloud” technology. It does so through encryption, key, and policy management.
Virtual machines and their underlying data are protected throughout their entire lifecycle from creation to deployment and all the way through to securely de-provisioning. In addition to protecting operating system and application data, HighCloud’s unique approach also protects memory files, copies, snapshots, and templates. The encryption process is completely transparent to end-users. It is also extremely simple for IT staff to deploy, with no agent installation required within the virtual machines. HighCloud Security features centralized key and policy management, allowing you to manage your deployment from one place regardless of size and complexity.
Following is an outline of the highlight of the HCS approach:
o Secure Virtual Machines
• Transparent encryption of virtual machines
• Protection of data in storage, in transit, and in back-ups
• Supportable in data centers, as well as on, private and public clouds
o Key and Policy Management
• Security-hardened key manager for the highest level of protection
• Easy-to-use policy-based key management requiring no knowledge of keys
• Transparent initial encryption deployment and re-keying enabling zero
• Role-based administration with separation of duties and multi-tenancy
o Auditing, Reporting, and Compliance
• Enables auditing and reporting of all administrative and virtual machine runtime
• Capable of meeting legislative and regulatory compliance requirements
• Support for external log systems
• Easily scales to large enterprise and multi-tenant cloud environments
• Integrates seamlessly with existing DAS, NAS, or SAN storage systems for
• Automatically restores protected virtual machines into production, backup and
disaster recovery environments
• De-duplicates virtual machines’ data for space efficiency and reduced costs
Virtualization security blog entries will continue over the next few months providing reviews of additional vendor products that address the issue of security in a virtualized or cloud infrastructure.
Posted by Kevin K. Moore, Director of IT, Fenwick & West LLP