8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control

1/4

The Clear Path to Cloud Security,Compliance, and Cost Control

WHITEPAPER|VMWARECLOUDCREDITSPROGRAM

Businesses are unquestionably excited about cloud

computing, but according to Ryan Hefele, theyre

also more than a little concerned about security.

Hefele is a cloud security specialist at Mountain State

Networking Communications Inc., an IT integrator

based in Englewood, Colo. Companies love the

clouds efciency and exibility, he says, but worry

about condential information falling into the wronghands. Thats their biggest fear, Hefele states. You

dont hear about an outage at a company on the

evening news, but you hear about security breaches.

Hefeles customers arent the only ones with such

anxieties. Some 66 percent of IT decision makers

cite security concerns as a barrier to implementing a

cloud computing strategy, and 56 percent say they

wont fully embrace the cloud until theyre more con-

dent in cloud service providers ability to meet their

compliance requirements, according to a 2013 IDG

Enterprise cloud computing research study.

Sadly, those concerns are far from misplaced. For all

its game-changing power, cloud computing exposes

businesses to substantial security and compli-

ance concerns. Yet experts say any company can

capitalize on the cloud safely and cost-effectively if

it employs the right techniques, tools, and technolo-

gies.

Signicant Risks

Well-managed cloud environments are as secure

if not more so than their on-premises equivalents.

Yet the clouds potential dangers are legion just

the same. The Cloud Security Alliance, a Seattle,

Wash.-based not-for-prot, has assembled the most

serious potential risks into a list it calls the notorious

nine. Some, like data breaches and malicious insider

attacks, are familiar perils that the cloud can make

even riskier, because cloud solutions are often hosted

off-site and managed by third parties. Youre losing

some of the security control that weve kind of gotten

used to having, notes Dave Shackleford, a CloudSecurity Alliance contributor who is also principal

consultant at Voodoo Security LLC, of Roswell, Ga.

Other members of the notorious nine are exclusive

to the cloud. For example, few of the application

programming interfaces that cloud vendors provide

to help customers manage and integrate online

resources have been carefully checked for security

aws. People are taking advantage of those APIs,

but nobodys really evaluating them from a software

perspective, Shackleford says. Also, most public

clouds are multitenant solutions in which many

companies share the same underlying resources.

Vulnerabilities introduced by any one of those rms

can potentially compromise the entire infrastructure.

Cloud computing can pose signicant regulatory

compliance risks as well. For starters, some cloud

vendors cant provide all of the auditing and repor ting

data that regulated businesses are often legally

required to collect. Furthermore, while anyone can

say their offerings meet a given laws standards,

some cloud providers offer so little visibility into their

infrastructure that verifying such assertions can be

difcult. This is the clouds biggest compliance-

related headache, says Allen Shortnacy, alliances

With the help of the right tools and technologies, any business can address the risk

and budgeting complexity often associated with cloud computing.

8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control

2/4

2

partner architect for business development at cloud

and virtualization leader VMware Inc., of Palo Alto,

Calif. How do you monitor a cloud operators stack

closely enough to track everything they did and

conrm that youve met all of your legal require-

ments?

The cloud can also complicate IT budgeting. Atmany companies, multiple business units are buying

services from multiple vendors, making it hard to

assemble a complete picture of cloud spending

patterns. Additionally, cloud vendors typically bill

in monthly, usage-based installments instead of

collecting big up-front payments. That helps compa-

nies simplify cash ow management and reduce

capital expenditures, but also puts IT departments

with unused funds in an uncomfortable spot as the

scal year draws to a close. Youve got money that

youre authorized to spend, but cant use because

you cant pay your vendors in advance, Shortnacy

observes. Most IT leaders end up losing that money,

not only now but in future budgets as well.

So-called rogue cloud deployments, in which

business groups purchase cloud services without IT

involvement, neatly encapsulate many of the clouds

security, compliance, and budgeting challenges.

According to Sam Cattle, security practice lead for

Southborough, Mass.-based consulting rm Glass-

House Technologies Inc., most companies today

have rogue clouds, whether their IT leaders know

it or not. Its massively common, he says. Its also

massively dangerous, because technicians cant

protect cloud-based data that they dont know about,

or include it in compliance processes. And since

business units often pay for rogue clouds with credit

cards, spending reports end up reecting only part

of a companys total cloud outlays. All of the internal

mechanisms for tracking whats going on with the

budget are sidestepped, Cattle states.

State-of-the-Art Solutions

Mitigating the clouds security, compliance, and

budgeting risks begins with what Shackleford calls

a hugely boring but all-important topic: policy.

Companies must draft clear rules about who can set

up new cloud-based solutions, how those systems

At many companies, multiple business units

are buying services from multiple vendors,making it hard to assemble a complete picture

of cloud spending patterns.

How VMware Can Help

For all its efciency and power, cloudcomputing also raises a host of complex secu-

rity, compliance, and budgeting challenges.

VMware has the software and partnerships to

make tackling those challenges easier.

VMwares vCloud Suite infrastructure solution is

the cornerstone of the companys cloud secu-

rity and compliance offerings. The industrys

only integrated end-to-end cloud platform,

vCloud Suite includes a rich set of sophisti-

cated rewall and gateway security services. It

also equips companies to divide a single cloud

environment into mixed modes of trust that

exibly apply security policies in dif ferent waysto different user populations and data types.

On the compliance side, vCloud Suite comes

with powerful data scanning functionality that

automatically identies regulatory violations,

as well as robust management and reporting

capabilities that give IT managers the opera-

tional visibility they need to verify that theyre

meeting legal obligations.

Add in advanced functionality for provisioning,

networking, disaster recovery, and more, and

the result is a package thats hard to match.

VMware has the most complete set of tools, the

most integrated set of tools, and basically thebest set of tools for cloud delivery, says Ryan

Hefele, of VMware Premier Solution Provider

Mountain State Networking Communications Inc.

Partners are another big part of how VMware

keeps companies secure and compliant. By

choosing VMware vCloud Powered Services

and VMware vCloud Datacenter Services

from partners in the VMware Service Provider

Program, vCloud Suite users can ensure that

their external cloud resources are every bit as

safe and legal as their internal ones. Youve

got a common architecture and a common set

of controls on both sides of the rewall, which

means everything works consistently regard-

less of whose data center its in, says Allen

Shortnacy, alliances partner architect for busi-

ness development at VMware.

Thats just one example of how VMware positions

its customers for success in the cloud. Sure,

cloud computing adds new complexities to

security, compliance, and budgeting, Shortnacy

says. With the help of VMware and its partners,

however, you can conquer all of them.

8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control

3/4

are paid for, and what can or cant be stored in them.

Then they must disseminate those rules broadly

with vocal support from senior leadersand enforce

them vigorously.

Yet policy alone is just a start. Businesses must also

use state-of-the-art cloud platform technologies, andensure that their vendors do as well. Key features to

look for in such systems are comprehensive security

protections for hosts, networks, virtual machines,

applications, and data, as well as consistent applica-

tion of those safeguards across public and private

clouds. Visibility into virtual workloads, thorough

auditing capabilities, and robust reporting and

management tools are all musts too, as is function-

ality for embedding authentication, access control,

privacy, and condentiality policies within virtual

machines. That way your security and compliance

policies follow your VMs as they move across the

cloud and the data center, Shortnacy says.

Partnering with qualied cloud vendors is every bit

as important as using sophisticated cloud software,

so savvy companies maintain a list of preapproved

service providers and ban employees from working

with anyone else. According to Chris Richter, building

such a list properly means asking lots and lots of

questions. We always tell customers to dig deeper

and really get underneath the hood, observes

Richter, who is vice president of managed security

products and services at Savvis, a managed hosting

and co-location provider headquartered in Town &

Country, Mo.

At a minimum, he continues, ask to see an architec-

tural diagram showing how the provider locks down

its environment. Study the providers security policies

carefully as well, and compare them to your own. If

theres a disconnect, the cloud provider should be

willing to recommend a way to address that gap,

Richter notes. The provider should also be willing and

equipped to deliver detailed reporting information to

compliance auditors, he adds.

The Consensus Assessments Initiative Questionnaire,

available free on the Cloud Security Alliance website,

outlines the essential topics businesses should

Partnering with qualied cloud vendors is

every bit as important as using sophisticatedcloud software, so savvy companies maintain

a list of preapproved service providers and

ban employees from working with anyone else.

Charge It toMy Account:

the VMware CloudCredits PurchasingProgram

To make consuming public cloud services

from VMware partners easier, VMware

offers the VMware Cloud Credits Purchasing

Program. The program enables technology

managers to buy credits through their favorite

VMware Solution Provider and then allocate

them to the companys various business and

IT units through the My VMware management

portal. Then, via that same intuitive interface,

users can redeem their credits with approved

VMware vCloud Service Providers on a self-

serve basis.

From a security standpoint, youre limiting

people to approved VMware partners without

decreasing their business agility, Shortnacy

says. You can also restrict specic busi-

ness units with compliance responsibilities

to providers with relevant expertise and

capabilities.

The VMware Cloud Credits Purchasing

Program enhances your budgeting exibility

too. You can protect your IT funding by

buying now and redeeming later, Shortnacy

explains. And by centralizing all of your cloud-

related transactions in one place, you can

also monitor and control cloud spending with

greater precision.

The end results are a simpler, faster cloud

procurement process, more accurate

budgeting, and signicantly improved secu-

ritya combination anyone concerned about

cloud security, compliance, and funding

issues can appreciate.

cover when evaluating cloud service providers.

Shackleford, for his part, advises businesses to pay

particular attention to whether a potential vendor has

industry-standard security accreditations, such as the

ISO 27001 and Service Organization Control (SOC) 2

certications, and to conrm the vendor has experi-

ence in your industry and knowledge of its regula-

tory requirements. If you have to meet compliance

standards like PCI or HIPAA, then [your vendors] have

to meet those standards internally, Shackleford says.

8/12/2019 The Clear Path to Cloud Security, Compliance, and Cost Control

4/4

Dont forget to inspect a cloud providers service-

level agreement (SLA) thoroughly e ither, adds Noah

Weisberger, director of professional services at Coal-

re Systems Inc., an IT governance, risk, and compli-

ance adviser with headquarters in Louisville, Colo.

There should absolutely be contractual language in

there that they acknowledge their obligation to meet

all of your security and compliance requirements, he

says.

Centralized Payments

Of course, none of those actions is likely to do you

much good if employees continue setting up rogue

clouds. To rein in that problem, start by establishing

a dialogue with your non-IT counterparts. Users

often dont realize that IT can provide exactly whatthey would otherwise buy on their own, only far more

securely.

Users are more likely to choose IT-endorsed cloud

services if identifying and paying for them is simple,

so creating a portal that provides direct access to

cloud-related funds as well as self-serve tools for

spending that money with preapproved vendors is

an important best practice. VMwares Cloud Credits

Purchasing Program, for instance, utilizes the My

VMware portal to let IT managers allocate cloud

funds and business managers spend them quickly

and easily. The result is that business decision

makers get the agility they crave while helping IT

better protect the business. It just makes the whole

procurement and budgeting process easier, Richter

observes.

It also lowers administrative overhead by reducing the

cloud sprawl that results when multiple business

groups procure services independently, and allows

greater control over budgeting by centralizing all of

your cloud payments in one place.

Just one more reason, if any were needed, to make

mastering cloud security, compliance, and budgeting

a top priority. These are somewhat scary prob-

lems, but you can solve all of them, Shortnacy says.

Theres no reason to let your fears about the cloud

keep you from realizing its benets. n

For more information please visit

http://vcloudproviders.vmware.com/

http://vcloudproviders.vmware.com/http://vcloudproviders.vmware.com/