I always get a kick out of the idea that the "cloud" is some advanced, mysterious technology, such that now that we have it, life in the IT shop will be magically transformed, security pros can leave the dirty work to someone else, and costs will miraculously trend all the way down to nothing. It reminds me of an old New Yorker cartoon that shows two businessmen standing in the middle of what, presumably, was a data center. The caption is "Well, that does it Charlie. We've outsourced everything."
The fact is that the cloud is nothing more than a software data center, managed by someone other than the users within which users can by computing services. If that sounds to you a lot like the time-share systems of the 1990s and before, you'd be very close to reality. The trouble now - and the trouble then - is that it is not so much the technology being used that is worrisome, it's the business construct. Because that, really, is all a public cloud is: a virtual data center and a particular business construct.
Now, one would think that the combination of the two - business model and technology - would be a pretty good match. From a security standpoint, anyway, they are not. Why? First, you are using someone else's computers, so you have to play by their rules. While it's often true that you can negotiate a bit, some things simply cannot be changed and, unfortunately, they are just the things that tend to impact the security of the systems.
"...the cloud is nothing more than a software data center..."
Second, you are in a community of users, most of whom you don't even know, yet you're sharing the same data center and the same computers. That means that a little security flaw could impact other users of the cluster. If that's not a cyber definition of the Wild West, we must be confused. Out in cyberspace you are on your own. There is nobody in the cloud to help you.
So that brings us to the batch of products we are looking at this month. The entire notion of security in the cloud is emerging, so the products we expect to see are as well. And that certainly has been the case. We have picked products that don't necessarily compete so you can get a flavor for all of the things that we need to protect in a cloud or virtualized environment and you can get a flavor for many of the ways of accomplishing those tasks. Since securing your cloud or virtual environment is up to you, you have your first challenge.
However, the second challenge is being a good cyber neighbor. That means that whatever you opt for cannot interfere with other implementations on the same cloud or with the cloud itself. This is especially problematic when you need to perform a forensic examination after a breach. But, as we are becoming increasingly used to hearing: "There's an app for that."
More important - although it may not seem so at the time - is preventing a breach altogether. We have products this month that take unique approaches to that task. What we found interesting is that much of what we are seeing as new and innovative for the virtual world are, to some extent, anyway, old hat for the physical world. That's not an unintended side issue, though. Most of the organizations that develop the kinds of products we see this month want the transition from physical to virtual to be as painless as possible for system and security administrators.
Finally, we saw a definite trend toward broadening the coverage area past VMware. Although VMware still pretty much owns the marketspace, there are others out there and some are nibbling around VMware's edges. So it only makes sense to broaden coverage beyond the market leader.
All of this spells innovation. In a rapidly emerging market, such as the cloud and virtualization, if you're not innovating you're in danger, and if you are not moving forward you are taking the risk of becoming obsolete. So, when you start looking for security products to protect your virtual assets - whether they are in the cloud or in your own software data center - look at what these products can do. Does their functionality support your requirements? Can you afford their long-term care? Most important, can you afford to be without them?