How to secure the virtual world
How to secure the virtual world

Cloud computing has been taking the IT world by storm - according to recent figures from Gartner, the industry grew by nearly 20 per cent globally last year.

The advantages it can bring to an organisation stretch far and wide, providing benefits both economically but also in terms of IT agility and extended capabilities.

However for many, migrating to the cloud is not a bed of roses. Without seriously considering the security implications a virtual environment can bring with it, organisations will undoubtedly face a whole host of issues surrounding data protection and privacy.

The lack of physical control over cloud-based environments can be a daunting prospect for organisations. It's understandable when you consider just some of the security challenges that come hand in hand with the cloud, including data co-mingling, the number of privileged users, potential for data leakage and geographic regulatory requirements.

Virtual machines are easy to copy and steal, as well as easy to move, therefore understanding where data is, and the security implications of that in the virtual environment, continues to cause increasing concern to IT managers.

Basically, by opening up to the concept of virtualisation and shared computing, a fresh landscape has been created that raises questions over new kinds of attack vector, visibility of systems and control of data. For the most part, protection of virtual machines, along with mobile devices, has been reduced simply to limiting the places where data can go and only allowing a certain number of people to access it.

However this differs fundamentally from everything technology nowadays facilitates, which is the understanding that the movement and sharing of information is essential to ensure a successful business. Consequently organisations need an innovative data protection strategy to enable free sharing of information, while ensuring robust security of their virtual assets.

One of the most effective ways to achieve this is by going back to basics. To take a simplistic example, remember when organisations would protect their sensitive data by backing up their systems on tape and securing these in a safe? This principle can still be applied today. Once organisations recognise that it's the data that needs to be protected, then they have already overcome the first step of their new security strategy.

Realising that it's a case of when, rather than if, an attack will occur is the next step. By embracing the concept of the secure breach and encrypting the very data itself, organisations can be prepared for the inevitable data breach.

Fortunately there are now the tools available to allow organisations to effectively encrypt data on a wide scale and enable a secure breach environment. Firstly, they need to build a crypto foundation that acts as a trust anchor for the encryption implementation and deals with essential aspects such as secure key generation and storage.

Secondly, it's important to implement an enterprise key management system that will create and enforce policies during a key's lifetime and guarantee that the keys are available to the information and applications enterprise-wide.

Thirdly, organisations need to ensure that encryption enforcement points are properly implemented in order to leverage the enterprise key management and crypto foundation. Thankfully there have been major advances in encryption key management that allow for scalable encryption, a major advantage when you consider the vast infrastructure and applications of international organisations.

Implementing this level of encryption around individual pieces of data means that should a hacker break past an organisation's security perimeter and get their hands on the data, it will prove worthless to them. The hacker will have wasted valuable time as all they will be left with is some scrambled nonsense. This acts as a major deterrent against future attacks, as it is simply not a valuable investment of their energy and resources.

Although it's clear that encrypting data in the virtual world provides a pretty strong barrier against potential theft, security departments can't rest on their laurels. Being on the ball and detecting impending attacks as soon as possible is still of utmost importance.

Understanding the motives driving a hacker is a real benefit to this, as is understanding the role employees, machines and software all play. Taking this into account will allow organisations to evolve and embrace new virtualisation technologies, safe in the knowledge that their sensitive data is securely protected.

Jason Hart is vice president of cloud solutions at SafeNet

SafeNet UK is exhibiting at Infosecurity Europe 2013 held on 23rd – 25th April 2013. For further information please visit www.infosec.co.uk