The Cloud, Virtualization, and Risk

Hoff asks:

How many of you assume that virtualization is
an integral part of cloud computing? From your perspective do you assume one
includes the other?  Should you care?

From my perspective, the whole cloud computing meme was a spinoff of virtualization; there is an assumption that virtualization makes clouds scale and therefore creates more revenue opportunities for the service providers. That said, the focus of cloud was on Platform-as-a-Service (PaaS) providers. In this case, virtualization is almost guaranteed. In fact, you should expect virtualized infrastructure for anything below the application level.

On the other hand, Software-as-a-Service (SaaS) providers that only recently started leveraging the "cloud" classification may already have extensive physical resources and don't have to leverage virtualization. This is where GoogleApps fits in.

But what is the impact on risk? Well, we should pick a 'current state' starting point and apply the Five Immutable Laws of Virtualization Security to understand it. Or, most importantly, Laws three and four, which deal with separation and aggregation of data/resources.

If your starting point is a traditional data center with physical resources aligned fairly well with the software and data (i.e. little commingling of data and resources), then moving to the cloud will increase your risk (all other things equal). The possible exception here is hosting providers that are reinventing
themselves, where dedicated physical resources are still available.

If your current state is unvirtualized SaaS, then the data and resources from multiple organizations are aggregated. From this perspective, a move to a virtualized environment would reduce the risk (again, other things equal). The reason is that better separation can be provided in virtual environments.

We certainly should care, but only to the extent that we are determining a new set of controls to harden hosts/apps. In most other respects, the real issue becomes a function of the contractual relationship with the provider.