What cloud security really means

Trend Micro CEO Eva Chen talks about the challenges facing enterprise security in the era of the cloud

You can look at cloud security in two ways. For customers, cloud security means facing down added uncertainty and risk -- whether you're talking about the public or the private cloud, data moves across virtual machines and shared resources, increasing exposure. For vendors, on the other hand, cloud security means a massively scalable architecture to ramp up security technology in the endless war on threats.

Eva Chen, CEO of Trend Micro, makes it her business to address both sides of the cloud security equation. In a conversation with InfoWorld's Doug Dineley and me last week, she went to the whiteboard and dove right into virtualization security: "I think there are two challenges. First, there's the traditional security agent in a virtualization environment: What is the impact and how do you optimize it to make it work? Second, in a virtualization environment, what kind of new security challenges will you have?"

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

The first problem, says Chen, is that you can't have conventional antimalware technology running in every VM -- the I/O bandwidth required is too prohibitive. Instead, Trend Micro has created an agent that integrates with VMware to protect every virtual machine on the host.

That agent (and all other Trend Micro agents) connects to the company's Smart Protection Network, a reputation-based system that identifies malware, spam, and malicious websites, allowing the agent to intervene before they can prey on the client. This is the "supply side" of cloud security; Symantec, Webroot, and others have launched similar reputation-based plans using global networks of data centers. In Trend Micro's case, the company has pushed a considerable portion of the scanning process from the client to the cloud. 

Another risk factor is multitenancy. Shared cloud infrastructure poses its own risk -- data supposedly deleted may inadvertently persist where it can be accessed by others, for example, or intruders posing as customers may discover ways to pry into other customers' data. Chen's answer to this is persistent public/private key encryption to protect cloud data -- and she believes that as we move into the cloud era, persistent data encryption will become the default. She may be right -- we're already at a point where the processing power is there.

Chen includes mobile devices as part of the cloud totality -- and as you've heard a million times by now, enterprises consider the proliferation of mobile devices as one of the greatest security threats. The ultimate answer to the challenge of mobile security, says Chen, must be a mobile gateway where you can enforce security policy down to the level of device capability (not allowing a camera to function, for example). That capability isn't available from Trend Micro or anyone else at this point, but the industry players are working on it.

Trend Micro was among the first vendors to build a reputation-based security network in the cloud. But Chen is determined to go beyond that. "Now we are going to securing the cloud," she asserts. "When customers want to use the cloud infrastructure or cloud application or storage, then how do we provide a tool to enable them to do that? That is our next journey to the cloud."

This article, "What cloud security really means," originally appeared at InfoWorld.com. Read more of Eric Knorr's Modernizing IT blog, and for the latest business technology news, follow InfoWorld on Twitter.

Copyright © 2011 IDG Communications, Inc.