More software companies are focusing their efforts on easing data security fears associated with storing confidential data on virtual machines (VMs) hosted on shared datacentre servers within the cloud.
However, differing regional rules governing where data can be legally stored is likely to prove the bigger obstacle in the long run.
Laws on data protection vary from one country to another, with many countries insisting that sensitive information relating to individuals must remain within the company's own datacentre rather than be hosted by a third party in some instances. These cause alarm for executives fearful of penalisation by regulators over data loss and breaking privacy laws.
But they also worry that storing information within VMs on physical servers that additionally host VMs and data from other organisations does not give them sufficient control of that data.
"As people rush into virtualisation they forget every lesson they ever learned about security,” said Stuart Hatto, solutions architect at HP subsidiary and intrusion prevention specialist TippingPoint.
“We have moved from applications running on a physical host to a situation where a hypervisor is running 30 VMs, and that hypervisor can be attacked.”
Recent tests conducted by Broadband Testing in conjunction with Spirent Communications have found ways to stop malware and other types of attack passing through firewalls running within VMs on service provider cloud architecture.
“We scaled up the number of connections between the VMs and fired 1,200 to 1,400 threats a minute at the virtual firewalls inside,” said Spirent EMEA vice president David Hill. “We pretty much saturated it and only one threat got through, which was a vulnerability not in the TippingPoint database. So the virtual environment can be secured.”
Other software companies are also working hard to allay these fears by adding more security to both cloud and virtualised environments. TrendMicro has released a public beta of SecureCloud, which lets users secure sensitive data stored on virtual servers using encryption and virtual server authentication with key management handled in the customer’s own network rather than by the cloud service provider.
This means they are not dependent on the service provider’s security architecture, and can move secure applications and data from one provider to another more easily.
Elsewhere, Microsoft is working on a research project called Bunker-V, which aims to eliminate legacy virtual devices (disk drives, keyboard, mouse, monitor or serial ports, keyboard controllers and ISA buses) usually required to boot VMs, thereby closing the door on attacks from that direction.
VMware also offers an application programming interface in vSphere 4 that allows third-party software companies to build tools that monitor and protect the hypervisor and inspect data packets that pass through virtual switches and between different VMs.
“You need some combination of both a physical intrusion prevention system in the datacentre and security software that follows a VM from one datacentre to another,” said Hatto. “You cannot put a host IPS or firewall on the hypervisor, and the impact of running a firewall, anti-virus software and a host IPS on every VM creates scalability and performance problems, and does not secure VM-to-VM traffic.”
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy