This blog is intended to share our experiences & expectations with Cloud & Vitrualization security. But, before we go there, lets get some understanding what these mean and why it matters.
Today, the top issue for a CIO is Data Center consolidation using Server Virtualization techniques. This is mainly driven by the need to reduce CAPEX (better use of server hardware & depreciation costs) & OPEX (power and cooling $ savings). But, moving applications to virtualized platforms introduces a change in deployment model and hence threat model. Threats associated with this is widely categorized as "Virtualization Security".
There is another phrase that is loosely talked about by IT - "Cloud enablement". The way I would explain this is accessing services such as Storage, application, etc using REST based protocols. Many of them even consider "Platform or Infrastructure as a Service" as a part of Cloud. Platform would include Virtualization and Infrastructure would be configuring hardware (network, memory, CPU) dynamically. So, it will be necessary for us understand the differences amongst all of these. Google Apps, SalesForce.com are some Cloud based applications - we never ask them if they are running on platform A or infrastructure X. In terms of Infrastructure as a Service Amazon EC2 or RightScale are some examples where they provide tools to upload software. These services run on virtualized platforms.
As I mentioned, Cloud Applications mostly use REST based protocols. Added to this, they may be dynamically provisioned or de-provisioned. These applications need be secured from traditional threats, denial of service attacks, application attacks, cross site scripting, session hijacking, etc. Single Sign On is an absolute must. If these Cloud applications are hosted on public service Infrastructures or Platforms (Amazon, RightScale, etc) then, the applications can be a multi-tenant platform and hence they need to secure themselves. The platform also needs to provide that confidence to their cloud application customers that their platforms are secure.
The above would be the starting points in enabling security for Virtualization and Cloud environments.