Last week I spent five days attending the beta delivery of the new Virtualized Data Center and Cloud Infrastructure course from EMC Ed Services. The course itself gave me a lot to consider (and blog about at some point). The best part of the course, for me, was the students in the class. There were a large number of data center architects in attendance. The anecdotal experiences that were exchanged had high value. I would recommend the course on that aspect alone (the networking between VDC architects).
The curriculum was dense and challenging, particularly when it comes to designing governance, risk, and compliance into virtualized data centers. Hybrid clouds, in particular, were highlighted as an enormous GRC challenge for a corporation outsourcing a portion of their IT services. In fact, out of all of the topics discussed during the five days of training, GRC was probably the most important yet least implementable hybrid cloud requirement.
Today’s Cloud Trust Authority announcement, at RSA Conference 2011, is tackling this problem head-on.
Tackling Hybrid Cloud GRC
One obvious roadblock with hybrid cloud GRC is the lack of a common governance dashboard that stretches across data centers. As a software engineer I cannot come up with a framework proposal for hybrid GRC without boiling the ocean. For a service provider the problem is exacerbated due to multi-tenancy; different tenants will have different data center policies and infrastructures against which they run their own dashboards.
The announced RSA approach (Cloud Trust Authority) allows a service provider to enable a hybrid dashboard by standardizing on governance profiles supported by the Cloud Security Alliance. These profiles have been codified into Archer. For example, the following screen shot represents an Archer view of a CSA Cloud Assessment screen:
If both sides of the fence (tenant and provider) standardize on CSA reports, how will these reports be (a) populated, and (b) securely shared to the tenant?
As I mentioned, there is currently no common collection framework that can be deployed on both sides of the fence. It all has to be done manually. One aspect of the Cloud Trust Authority model is that RSA Consultants can manually or programatically bootstrap the conversion of data center specifics into the Archer platform.
Secure publishing of the dashboard details can be done via an RSA Identity Security framework (e.g. TriCipher).
The diagram below shows the relationship between tenant and cloud provider. Log-in and tenant identify is verified on the left and GRC reports are shared on the right.
Automating the Manual
A few weeks ago I was chatting with RSA CTO Bret Hartman about the year-old Archer acquisition. Before the Archer acquisition, one of the main challenges of GRC was the “boil the ocean” difficulties with designing a common framework for controlling GRC within a given data center. It became apparent that the “bottoms-up” approach of Archer was much more feasible. The most important portions of a data center can be audited (manually or automatically) and then bubbled up into Archer and mapped against corporate and government regulations. This allows a CSO to prioritize the highest areas of risk (and thus avoid boiling the ocean).
As time goes forward, more and more data center state can be fed into the Archer framework, providing increasing levels of enterprise governance reporting. Automation improves things even more.
In summary, hybrid cloud governance reporting can initially be done by hand. Consultants well-versed in industry standard reports help customers translate their deployments to the standard.
One more interesting point of note: Service Providers and cloud technology manufacturers involved with the Cloud Trust Authority would be wise to automate their governance collection frameworks and create security-as-a-service SOA APIs (instead of automating results straight into Archer). These APIs can then be re-used for a variety of other purposes.
Steve
Twitter: @SteveTodd
