Service providers need to demonstrate their ability to effectively enforce policy, prove compliance and manage multi-tenancy environments, so enterprises can outsource infrastructure to the cloud, Art Coviello, president of RSA, said during his keynote address at the RSA Conference in San Francisco overnight.
Coviello said the shortcomings of security in virtualised infrastructures is holding back the full capability of cloud computing, prohibiting organisations from taking full advantage of the pay-as-you-go services model.
He said the cloud enabled organisations to move away from their ageing infrastructures and instead focus their investments on the business. But, "something is holding back the full realisation of this vision, and that in a word, is security," said Coviello.
Organisations need the ability to dictate and federate policy to their service providers so their information can be handled and accessed appropriately.
"And service providers should be able to tell auditors just about anything they need to know with verifiable metrics.
"The ultimate goal is to generate a concise summary that feeds into a government risk and compliance on one dashboard that demonstrates the level of compliance," said Coviello.
An additional challenge for service providers is securing multiple tenants in one cloud.
Service providers must defend sensitive data of multiple tenants, said Coviello, who used an example of Coke and Pepsi possibly ending up on the same cloud to demonstrate the importance of securing data in the clouds.
"To achieve isolation requires controlling the flow of information between tenants," he said. "This can be accomplished by leveraging a hardware root of trust at the chip level that verifies virtual machines are running on the right hardware systems and this can be leveraged to pools of trust," he said.
Yesterday at the RSA Conference, EMC released a proof-of-concept in collaboration with Intel, VMware, RSA and Archer (EMC had recently acquired the latter), then demonstrated its cloud security vision of securing the cloud from the bottom of the stack at the hardware level and up.
"The security industry needs to be more closely connected to the evolution of cloud computing in order for it to evolve, and it must ensure a secure protection that surpasses what physical environments offer today," Coviello said.
"The cloud will complete the transformation of IT infrastructures unleashed by the internet organisations, so we must play an essential role in making cloud computing a reality."