By Richard Rees, Security & Compliance Architect, VMware Professional Services
Interest in hybrid cloud has risen since Edward Snowden’s leak in May revealing vast surveillance operations by the US government, according to VMware CEO Pat Gelsinger and COO Carl Eschenbach during a VMworld Q&A last week.
That’s not surprising, since hybrid clouds allow businesses to keep their data in their own house and out of the prying eyes of government. That’s undoubtedly attractive for foreign companies doing business with or in the United States, since the US government was revealed to be focusing their monitoring efforts on emails sent to or received from another country.
Even if you aren't worried about the NSA, I’m guessing you’d prefer the government not to have access to your business’s (or your customers’) information without your knowledge.
Hybrid: The best of both clouds
Enter the hybrid cloud. With a hybrid platform, businesses get the convenience and flexibility of a public cloud, but all access to sensitive data is handled through the organization’s private cloud.
At VMware, we've focused on making private clouds as operationally efficient as public clouds, with a greater emphasis on management, integration, metrics, and security. Our IT Business Management Suite, for example, when integrated with vCloud Automation Center, can even dynamically compare the cost to the business of private clouds versus public cloud providers.
A private cloud not only keeps your data safer from government snooping, it also decreases your number of data copies, which in turn cuts down on the dilution of security resources. If you have data in the public cloud, for example, it has to be backed up. Some data types also need to be archived. And of course, you need your own copy in your own house just in case there are problems or outages with your cloud provider. That's at least four copies, not counting the multiple copies we typically see inside an organization from developers, database administrators, etc. No wonder hard drives are getting bigger!
Are you confusing security with trust?
But back to security. Security and trust are not the same thing, although they are often thought of that way. Trust is the goal; security is just one way to achieve it. In the security world, we use this equation: Trust = Visibility + Control.
So, for example, when considering clouds, "Who should I give my data to?" is really, "Who can I trust to do the best job for my budget?" If I have more control, I don't need quite as much visibility—like a private cloud where I know the data isn't going to leave my house. I just need to watch the front and back doors.
If I have less control—like a public cloud—I need more visibility. If the data is in someone else's house, I want to know exactly who has keys, how many doors need to be watched, and how those doors are secured. In order to gain my trust, the cloud provider needs to be able to answer those questions and give me the ability to verify their answers. (Read more about this balance in my post, "The Secret to Getting Security to Say 'Yes.'")
Why poker is good practice for IT security
Think about playing a game of poker. If I'm playing in the World Poker Tour, I don't trust anybody. I have no control over the cards, and no visibility into what people are holding. All I can do is make educated guesses based on what I observe (body language, habits, and experience) and combine that with the information from the cards I can see. Before the flop, that'd be 2 out of 52.
Now, if I'm watching the World Poker Tour on TV, I've got much greater visibility. I can see everyone's cards before the flop, so I already know, all things being equal, how the hand is going to turn out. After the flop, I've got a near 90% picture and can easily calculate my odds of success. In the words of Sergeant Bilko, "I like a sporting event in which I know the outcome ahead of time. It's more organized."
That's also how VMware's Professional Services help streamline business processes by integrating VMware tools with third parties. We build the system-wide visibility and control into private and hybrid clouds to establish trust and to demonstrate compliance. By building capabilities from the ground up, we also help make it easy for customers to drill down as deep as they want to go—into the maintenance record or our certifications—when they feel an urge to “peek over someone’s shoulder.”
Richard Rees is an architect with the VMware Professional Services security and compliance consulting team, specializing in building secure and compliant virtual environments. Richard also advises clients in creating governance, risk, and compliance frameworks for cloud operations, enabling organizations to entrust and manage data assets and identities, and to prove compliance.