To secure a virtualized environment you must first understand the nature of the problem. And the nature of the problem is information, content and applications are now mobile and not necessarily tethered to a fixed location. Traditional security looks at the infrastructure, via defined parameters such as firewalls, ACLs (access control lists) and VLANS (virtual local area networks).
However, in a world of mobility we must focus on the data itself – which can exist outside the defined infrastructure. And we have to think of security from a biological perspective. What I mean is think of how a human body, which is mobile, isolates and attacks bacteria that enters its body. So the data (the body in this example) must have attributes which help it remain healthy, even as it travels to strange and new locations.
Examples of mobility we see in virtual machines and appliances that can exist anywhere in the “cloud.” Users of smartphones are both creators and consumers of information that move peer-to-peer as well as through centralized corporate and shared community networks.
Securing the data means that no matter where the data or application exists, at any point in time, there are rules that follow the data. Think of it like a passport issued for each data set. Access, bandwidth, prioritization, compliance policies, permissions, restrictions and traffic patterns are dynamically assigned, persistent and understood within the contextual flow of that specific data set (i.e, who is using it and its purpose) – no matter where it resides. This allows provisioning of service as well as the ability to identify aberrant patterns and hence potential security threats.
I guess we can call this concept “portable security” because it crosses domains and networks governed by disparate owners. This is not a new concept in the world of flow-based network security. But we are seeing the emerging application of flow management in areas such as identity federation and management of virtual machines that may traverse various cloud providers and corporate data centers.
There is no one application provider or solution set that has all the pieces to portable security. We should approach each situation using the fundamental methodologies of risk assessment and mitigation. That is to understand the security challenge in terms of who, what, where, why and how. Then we can start to devise the solution set that best meets specific needs.