As a new best practice, the datacentric security model (DCSM) must deliver the following capabilities to make public clouds even more secure than on-premise data centers for Fortune 500 enterprises:
Independence from CSP infrastructures: Cloud customers require an independent virtualization layer that logically isolates and separates applications and data from CSPs and other tenants.
Consistent security-policy enforcement: Encryption must be established as the new trust boundary. Security policies and controls travel with data wherever it goes, freeing cloud customers from the need to conform to CSP security postures.
Programmability: Essential security services—such as automated network configuration policies to ensure that no resources can ever be launched in an Internet-facing mode—must be logically “baked into” software. Doing so ensures that all data is opaque and inaccessible, even to the underlying public-cloud provider, while still allowing enterprises to fully employ the capacity offered by cloud operators.
Transparency: Use of increasingly sophisticated key management and cryptographic segmentation that goes well beyond current offerings, without degrading application performance, is essential. In addition, end users want to focus on building applications rather than having to install, configure and manage agent-based security solutions.
Agentless solutions are needed to ensure that security doesn’t get in the way of rapid deployment and provisioning. The best security is the kind that users never see, that is always on and that is properly enforced.
Customer control: The establishment of trust anchors ensures that security enforcement remains under the absolute and direct control of the enterprise while integrating encryption and authentication with that organization’s hardware security modules and key appliances, directory services, and certificate authorities.