EMC Corp. is developing technology to track and verify the location of virtual machines in cloud networks, potentially solving one of the key sticking points preventing customers from using the cloud.
Because of FISMA, the Federal Information Security Management Act, customers who put sensitive data in cloud services need guarantees that VMs stay within the country, says Chad Sakac, vice president of the VMware technology alliance at EMC. This is a problem for a cloud provider like Terremark, an EMC partner, which operates data centers in multiple continents and uses live migration technology to move virtual machines, potentially from one country to another, he says.
“Right now, there’s nothing that provides any verifiability of where a virtual machine lives,” Sakac says. “There’s nothing stopping you from moving a VM from one place in the world to somewhere else, and more importantly, there’s no way to audit that at any sort of scale.”
At VMworld in San Francisco this week, EMC will preview technology that combines its own RSA security tools with VMware virtualization software and Intel’s hardware-based security features “to ensure isolation of regulated workloads and hardware root of trust.”
The technology — which he describes as “geolocation” because it will ensure that virtual machines stay within specific geographic boundaries — should hit the market sometime early next year.
In theory, the combination of technologies could be used to automatically prevent the movement of VMs from one location to another in cases where it would violate FISMA rules. But Sakac says EMC customers have provided “mixed feedback” on whether they want that process to happen automatically, or if they want more manual control.
“On the security stuff, the most important thing is to be able to audit,” and let humans make decisions because of the complexity involved, he says.
This particular announcement builds on a demonstration at the RSA Conference earlier this year, which combined RSA with Intel and VMware technology to create a hardware root of trust in virtualized servers.
The hardware backbone is provided by Intel’s TXT, or Trusted Execution Technology, which creates a system in which applications can run in a protected space that is isolated from all other software.
The EMC/VMware/Intel triumvirate is not the only set of vendors working on the problem of FISMA compliance in cloud computing and virtualized infrastructures. Google has announced FISMA certification for its Google Apps cloud applications, but only for government customers.
EMC hopes its own system taking advantage of VMware and Intel will let “public cloud” providers promise FISMA compliance to a broader group of customers.
EMC, which owns VMware, is making another security announcement at VMworld this week, centered on providing compliance with several types of regulations in addition to FISMA. HIPAA and the PCI-DSS standards are just two examples.
“The problem is creating attestation that service providers will pass a third-party audit” that demonstrates compliance, Sakac says.
EMC is introducing the “RSA Solution for Cloud Security and Compliance,” which uses RSA’s Archer technology to provide dashboard views of security and compliance posture across physical and virtualized infrastructure; a library of security controls specific to virtualized environments; and various automation and notification tools.
The RSA cloud security system will be available immediately at prices starting at US$110,000.