EMC is developing technology to track and verify the location of virtual machines in cloud networks, potentially solving one of the key sticking points preventing customers from using the cloud.
Because of FISMA, the Federal Information Security Management Act, US customers who put sensitive data in cloud services need guarantees that VMs stay within the country, says Chad Sakac, VP of the VMware technology alliance at EMC. This is a problem for a cloud provider like Terremark, an EMC partner, which operates data centres in multiple continents and uses live migration technology to move virtual machines, potentially from one country to another.
“Right now, there’s nothing that provides any verifiability of where a virtual machine lives,” Sakac says. “There’s nothing stopping you from moving a VM from one place in the world to somewhere else and, more importantly, there’s no way to audit that at any sort of scale.”
At the recent VMworld, EMC previewed technology that combines its own RSA security tools with VMware virtualisation software and Intel’s hardware-based security features to ensure isolation of regulated workloads and hardware root of trust. The technology – which Sakac describes as “geolocation” because it will ensure that virtual machines stay within specific geographic boundaries – should hit the market sometime early next year.
In theory, the combination of technologies could be used to automatically prevent the movement of VMs from one location to another in cases where it would violate FISMA rules. But Sakac says EMC customers have provided “mixed feedback” on whether they want that process to happen automatically, or if they want more manual control. “On the security stuff, the most important thing is to be able to audit,” and let humans make decisions because of the complexity involved, he believes.
This announcement builds on a demonstration at the RSA Conference earlier this year, which combined RSA with Intel and VMware technology to create a hardware root of trust in virtualised servers. The hardware backbone is provided by Intel’s TXT, or Trusted Execution Technology, which creates a system in which applications can run in a protected space that is isolated from all other software.
The EMC/VMware/Intel triumvirate is not the only set of vendors working on the problem of FISMA compliance in cloud computing and virtualised infrastructures. Google has announced FISMA certification for its Google Apps cloud applications, but only for government customers. EMC hopes its own system taking advantage of VMware and Intel will let “public cloud” providers promise FISMA compliance to a broader group of customers.
EMC, which owns VMware, is also providing compliance with several types of regulations in addition to FISMA. HIPAA and the PCI-DSS standards are just two examples. “The problem is creating attestation that service providers will pass a third-party audit” that demonstrates compliance, Sakac says.