The Latest

16 August 2021: VMware and AWS announced that VMware Cloud had been independently assessed by an Information Security Registered Assessors Program (IRAP) assessor against the Information Security Manual (ISM) PROTECTED controls.

Why it’s Important

IBRS has noted that VMware Cloud is becoming increasingly popular as a management platform for hybrid Cloud. Its main attraction is that it offers a smooth ‘lift-and-shift’ of on-premises vSphere environments to a hyperscale over time, with different aspects of the data centre ecosystem running in the Cloud and/or on-prem. The VMCloud approach is particularly attractive for heavily regulated organisations and agencies, since it supports Amazon Elastic Compute Cloud elastic, bare-metal infrastructure. 

By assessing the VMCloud service, public sector customers have the opportunity to accelerate their Cloud migration, moving more of the load from on-prem environments to Cloud, while retaining operational consistency with their on-prem data centre.

While VMware Cloud IRAP for PROTECTED status is very much welcome, there is also the risk that IRAP is treated more as a ‘check-box’ in a security policy, rather than a foundation on which to build robot security practices. Many Cloud breaches are not the result of zero day exploits or misconfigurations from vendors (despite recent issues with Azure) but rather weak configuration management. This is exacerbated by the ongoing skills shortage in Cloud engineers, plus the even more critical shortage of cyber security professionals.

VMware Cloud provides common approaches to managing the Cloud environment, but it is only as good as the attention to detail given to the configuration of the environment. Tools such as GorillaStack can assist, but operational security is ultimately a matter of practice.

Who’s impacted

  • CISO
  • Cloud teams

What’s Next?

When considering Cloud management tools, security certifications and IRAP assessments are a sign that the vendor has best practices in place, but are not a panacea for mitigating risk. Treat them accordingly. 

Related IBRS Advisory

  1. Cloud Security Considerations – Lessons from the Frontline
  2. PROTECTED Cloud: Cyber considerations
  3. The value proposition for PROTECTED Cloud
  4. Why Cloud Certified People Are in Hot Demand
  5. VENDORiQ: Microsoft Cloud Database Security Flaw - A Nightmare or a Wake-up Call?