As various forms of distributed computing, such as cloud computing, have come to dominate the computing landscape, security has become a bottleneck issue that currently prevents the complete migration of various capabilities and systems associated with sensitive data, such as financial data, to cloud-based infrastructures, and/or other distributive computing models. This is because many owners and operators of data centers that provide access to data and other resources are extremely hesitant to allow their data and resources to be accessed, processed, and/or otherwise used, by virtual assets in the cloud.
In a cloud computing environment, various assets, such as, but not limited to, virtual machine instances, data stores, communications systems, and various services, are created, launched, or instantiated, in a production environment for use by an application, i.e., an “owner” of the asset, herein also referred to as a user of the asset.
Herein the terms “owner” and “user” of an asset include, but are not limited to, applications, systems, and sub-systems of software and/or hardware, as well as persons or entities associated with an account number, or other identity, through which the asset is purchased, approved managed, used, and/or created.
One major security issue in a cloud computing environment, and any production environment, is to try and ensure that each asset, and/or virtual asset, used to implement an application in a cloud computing environment, and/or production environment, is created such that the individual asset, and/or virtual asset, is in compliance with defined asset security policies.
In addition, an equally important concern is to try and ensure that each asset, and/or virtual asset, used to implement an application in a cloud computing environment, and/or production environment, is deployed in the cloud computing environment, and/or production environment, in compliance with defined application deployment security policies associated with the deployment of assets used to implement the application.
That is to say, not only is it important that individual sub-components, such as individual assets, and/or virtual assets, of an application's implementation be in compliance with applicable security and regulatory policies, but the manner and order in which the sub-components, such as individual assets, and/or virtual assets, are deployed and connected to implement the application is equally important.
Currently ensuring that both individual assets, and/or virtual assets, used to implement an application are created and operated in compliance with defined asset security policies and that each asset, and/or virtual asset, used to implement an application in a cloud computing environment, and/or production environment, is deployed in the cloud computing environment, and/or production environment, in compliance with defined application deployment security policies associated with the deployment of assets used to implement the application, is largely done in an ad-hoc manner, if at all, that is not well suited to deployment of applications in a cloud computing environment, and/or a production environment including a cloud computing environment component.
Given that applications, assets, and/or virtual assets, often process and control sensitive data, the situation described above represents a significant issue that must be resolved before highly sensitive data, such as financial data, can be safely processed in a cloud computing environment.
What is needed is a method and system for ensuring that both individual assets, and/or virtual assets, used to implement an application are created and operated in compliance with defined asset security policies and that each asset, and/or virtual asset, used to implement an application in a cloud computing environment, and/or production environment, is deployed in the cloud computing environment, and/or production environment, in compliance with defined application deployment security policies associated with the deployment of assets used to implement the application. In short, a method and system is needed to automatically and consistently ensure an application conforms with both asset level and application level security and regulatory controls prior to deployment.