For all the debate over cloud security, the issue that has never been addressed is the simple act of taking an application workload running on a virtual machine and redeploying it in its entirety some place where it shouldn’t run. After all, virtual machines are designed to be portable.
To address that specific issue, HyTrust, in partnership with Intel, today announced HyTrust Boundary Controls, a set of tools for defining which virtual machines can run in a specified area within a particular data center environment. Based on asset tagging and attestation services with root-of-trust enabled by Intel Trusted Execution Technology (TXT), the HyTrust tools allow IT organizations to specify the hardware and BIOS a virtual machine can run on as long as the underlying physical infrastructure supports Intel TXT.
HyTrust President Eric Chiu says the problem with virtual machines today is that it is relatively simple to break the chain of custody. An IT organization may initially deploy a virtual machine in one data center, only to have the owner of that data center move it to another data center at some later date without their knowledge or permission. Chiu says the Boundary Controls are designed to prevent that from occurring by making sure that a particular virtual machine can run only in a specified data center.
Of course, where a virtual machine is running at any given time is not just a security issue. Governments all over the world are passing legislation that limits where data in the cloud can reside. Being able to ensure the organization is actually in compliance with those laws, says Chiu, requires Intel TXT technology, which ensures that those policies are enforced.
Virtual machines may not be the first things that come to mind when thinking about IT governance issues. But one of the nice things about being able to apply policies directly to a virtual machine is that those policies by definition automatically apply to everything that runs above that virtual machine as well.