Gartner in private cloud security warning

Enterprises must adapt their security systems as they move from virtual datacentre use to the private cloud, according to a new report from Gartner.

The analyst firm said that the way companies provide and deliver security services needs to change, and that over a third of all security controls used in datacentres will be virtualised by 2015.

The report identified a number of elements that organisations should consider early on in any transition process when moving from virtualisation to private cloud computing.

"For most organisations, virtualisation will provide the foundation and the stepping stone for the evolution to private cloud computing," said Thomas Bittman, a vice president and distinguished analyst at Gartner.

"However, the need for security must not be overlooked or 'bolted on' later during the transition to private cloud computing."

The nature of security will not change, according to Gartner, but will be delivered in a different way, and should be "decoupled" from physical hardware and allocated to a "fabric" of computing resources.

"Policies tied to physical attributes, such as the server, IP address, Media Access Control address or where physical host separation is used to provide isolation, will break down with private cloud computing," added Neil MacDonald, a vice president and Gartner Fellow.

"For many organisations, the virtualisation of security controls will provide the foundation to secure private cloud infrastructures, but alone it will not be enough to create a secure private cloud."

Gartner said that any virtualised security plans should start with a set of on-demand and elastic services, and that security should be delivered on demand, rather than as part of a set of siloed products.

Security workloads will become standardised as the cloud expands, and can be increased, moved, modified, cloned and retired, Gartner said.

Companies will also need a programmable infrastructure, which means that APIs are used to open up security services.

This will make security "consumable", according to Gartner, and will "enable information security professionals to focus their attention on managing policies, not programming infrastructure".

The analyst firm also suggested that policies should be based on logical as opposed to physical attributes.

By incorporating Runtime context into real-time security decisions, organisations will be able to make quicker and more informed decisions about what action to take during a security incident.