Done right, a virtualized cloud can improve your security, DHS official says
Security in virtualized cloud environments can be just as good as or better than in the physical world, if the right controls and technology are put in place, according to Greg Capella, deputy executive director with the Homeland Security Department’s CIO Office.
DHS officials had to overcome skepticism about moving applications to cloud environments. They wanted to make sure security would be as good as security in their on-premise IT infrastructures, Capella said, speaking July 20 at the FOSE conference in Washington.
Homeland Security has ongoing initiatives in both the private and public cloud. For instance, DHS offers e-mail and Microsoft SharePoint collaboration software via a private cloud. Additionally, DHS’ E-Verify Self Check portal is hosted in the cloud. Self Check allows individuals in the United States to check their employment eligibility status before formally seeking employment.
How USDA took advantage of breaches to improve security
Cloud computing provides on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or interaction from the service provider.
Virtualization is one of the biggest technologies that enables the cloud but brings with it potential risks, Capella said.
Virtualization technology contains a hypervisor, an abstraction layer between the physical server hardware and the server’s operating system. Hypervisors allow multiple operating systems to run concurrently on a host computer. However, this added layer can create risks.
Hypervisor administrators have a tremendous amount of power, Capella noted. An administrator can change the security settings of virtual machines. Virtual machines cannot be touched – the physical server that hosts the virtual machines can – but the actual files on the virtual machines can be copied and exposed in ways they might not be in physical environments.
In assessing the risk associated with the virtual world, DHS used two standards: Control Objectives for Information and Related Technology (COBIT), a basis for auditing the IT management function developed by the Information Systems Audit and Control Association now known as ISACA; and the National Institute of Standards and Technology’s Special Publication 800-53.
Assessing the various security controls outlined in COBIT and NIST 800-53, DHS officials determined that applying virtualization without additional controls and procedure would have an adverse impact on cloud environments. However, implementating the right processes and procedures could provide better security than in physical environments.
Virtual security has to include policy changes, monitoring and control capabilities and technology, Capella said. Some security vendors are wrapping security into their products. Other vendors with standalone products are provided as add-ons to virtual machines. These products can control activity and who has access to the machines as well as monitor every step of the change cycle, he said.