New Solutions for Security and Compliance in the Cloud

New Solutions for Security and Compliance in the Cloud

August 02, 2011 2:00 pm

(Save to cal)


This webinar reviews data security challenges in cloud environments as well as introduce new solutions for meeting security and compliance in virtualized and cloud infrastructure.

Tuesday 8.02.11 @ 2PM ET

View Slides




Mike: Today, I would like to welcome Brian Foley from VMware. Brian is going to talk about the data security challenges in the cloud and he's also going to give us a preview to vShield 5.0, which is for cloud security and will be released sometime this fall. Hey Brian, you there? How are you?

Brian: Yes I am! Hi Mike. I am doing great. Thanks again for having me.

Mike: No Problem. Well, I'll throw it to you Brian. Let's get started.

Brian: Thanks Mike. So I'm sure everyone knows that the really important thing that is driving data security is all of the regulatory compliance, with PCI and HIPAA being two of the major ones. Also, we are moving towards governance and driving the need to know how to store and process all sensitive data.

Now I'm sure that most of you have some sort of data loss/leak prevention, encrypting data in motion, etc... But now as most of you are aware, data these days can be anywhere. We're employing things internally and virtualizing them internally as well. We also have virtual desktops too, and all of this is now stirring up the question, "Where is our data really at?"

This also goes back to virtualization as a whole and just the exponential growth that its been doing. Our CEO, (Paul Maritz) recently said, "Within the next 12 months, 50% of all x86 workloads will be running virtualized."

Mike: That's a really interesting point Brian. So security in the cloud is a huge issue. I hear from enterprises and mid-size businesses all the time that they are still skeptical with security, especially with public clouds. I certainly won't ask you anything about security for any of the freeware clouds like Amazon for example, but how does VMware based clouds deal with security issues? Can VMware's shared cloud infrastructure be PCI or HIPAA compliant?

Brian: That's an excellent question Mike, and the answer is Yes. We actually have guidelines and architecture papers that show you how you can build a virtualized environment and still remain PCI or HIPAA Compliant. There are more challenges building into a more cloud-like infrastructure compared to a virtualized deployment infrastructure. However, we are even seeing there that with the right kind of architecture, policies, and procedures in place, you can build a multi-tenant cloud that can achieve PCI or HIPAA Compliance.

Its really important that if you have these kinds of security concerns to try and pick a provider that understands these and who is architecting their solution to deliver the results you are looking for in the long run. I work with a lot of our service providers, and recently I've noticed a movement in multi-tenant clouds, such as what you guys provide to your customers.

Mike: So the last two webinars we've had over the past two weeks, we have specifically talked about HIPAA, PCI and a lot of the tools you are looking at. Both our HIPAA and PCI experts have said that with the right toolset in a shared environment based on VMware, and with tools like logging, vulnerability testing, and penetration testing that with the right cloud service provider, PCI and HIPAA Compliance is achievable and that it can provide a more cost-effective solution in those markets.

Brian: Absolutely. Its very key to finding a service provider that can build that kind of architecture for you, and VMware provides a lot of the tools to help in doing so at the infrastructure level and higher.

Brian: So all of the things that we are doing at the physical level, we have to apply as we virtualize. Before you do that, the real question you need to ask yourself is, "Do you know where your sensitive data is stored in virtual infrastructure and cloud environments?" So how do we know which virtualized systems contain data that we need to protect?

This is where vShield Data Security comes into play. We are looking at a September 2011 release, and we just recently announced this at VSphere 5 about a week and a half ago. This will be a shipping product and will be apart of the whole product suite.

Data security is now becoming a new key differentiator for people when they need to build these kinds of environments. What data security does is it scans the unstructured data looking for data that matches certain policies that you can define.

Mike: What is unstructured data?

Brian: Unstructured data is just files on the system. Say if someone has a spreadsheet that contains social security numbers. How do you know that that file exists in the right VM? Data Security can scan that using special algorithms and determine if the data in those files is on that VM. Its always checking the storage and seeing if its there. Its also constantly scanning and giving out reports to let you know if a specific action is needed to take place in order to resolve the current issue.

Mike: So when we talk about this Brian, I think of three different kinds of environments. I think of an Enterprise environment, where it's easy for an Enterprise to go in and say that we are going to run this scan across the board. I also think of a private cloud running from a service provider and I also think of a shared cloud from a service provider. Where does this product line really fit?

Brian: An initial response would be for an Enterprise type solution. However, service providers who want to offer PCI or HIPAA compliance or meet any other standards, it now becomes a tool to let the service provider a way to validate and offer that service to their customers within their own cloud infrastructure.

Mike: So this has be done on a client to client basis and you must have permission before you can start scanning their data correct?

Brian: Yes, that's correct. Or by definition, you may have permission because they are running on a certain section of your cloud that's already defined as being PCI Compliant. If you're going to deliver PCI compliance, it's up to the service provider to assume the responsibility associated with that.

So this gives you the tool so you can do the audits for your customers and present to them, "Hey, you have a VM that you deployed that's in violation." You can also guarantee that anything running in that PCI area is hitting those expectations and anything that is not in that PCI area should be moved as well.

And very important as well, people are using Hybrids now. So you might have your own internal infrastructure and you're going to run some stuff on your service provider connection, wouldn't you want to know that your service provider is managing it and monitoring it as well as you are internally?

Mike: Of course.

Brian: Exactly. Going back to vShield, vShield is our product line for security. There is one specific part of our product line called Endpoint. Endpoint is mainly used for Offload Antivirus Scanning for VMs. For example, let's say that you're running five VMs. Instead of running Antivirus on each VM, Endpoint offers the option of offloading it to just one VM. And with that, Data Security leverages that architecture.

It's a very thin agent that goes into the OS, but is automatically delivered with VM tools. Its also running very efficiently down at the hypervisor level. That's kind of how Data Security works. It generates reports of what is compliant, it helps you deploy and move VMs, and it keeps them protected as well.

Brian: So now that we know that vShield Data Security is working on the storage of the VMs, how do we know that the actual OS is provisioned and patched according to a particular Compliance regulation?

Well, this is what vCenter configuration manager can do for you. It does a lot of things, but specifically in the compliance and governance role, it can actually monitor the OS and see if they meet your specific compliance standards. With this, you can be assured that only is your data being watched and managed, but that your OS is also meeting the regulatory standards as well.

Mike: Brian, can you show us what we are looking at on the graph up here? (View Slides, Final Slide - Line Graph)

Brian: What we are looking at is various scan dates over a period of time and how we are driving up compliance as we remediate known issues that come up. Because of this tool, you can also see reporting going down due to the automation. What used to take weeks is now taking hours thanks to the automation of the tool checking and monitoring the data in order to remain compliant.

Mike: It seems to me, Brian, that the whole world of regulatory compliance with all of the fines out there with HIPAA or with PCI and credit card companies is being talked about a lot. It also seems to be putting pressure on product developers such as VMware, to make things easier and easier to get compliance solutions out there in the cloud.

Brian: Absolutely. Compliance is driving a huge amount of work for us and not only do we have to meet those needs for our customers, we also need to meet those needs internally as well, so absolutely true.

Mike: Brian, we would like to thank you for taking the time out and sharing your insight both on the trends we are seeing in the marketplace and some of the things that VMware is doing to address these compliance issues. Thank you very much.

Brian: Thank you for having me again. It was a real pleasure.

Back to Top

Webinars    |    Online

Get started now. Exceptional service awaits.