Concern | Detail |
Hypervisor | An additional layer of technology is present in every vCloud and may present an attack surface. It introduces a layer between the traditional processing environment and the physical layer, which brings a new level of communication with layers above and below it. |
Segmentation and isolation | Any environment may expose sensitive data when not configured and monitored properly—physical and logical isolation has always been an audit concern. The ease and speed of change to a virtualized environment within vCloud computing, often called elasticity, makes the setup and review of segmentation controls even more relevant to compliance through isolation. |
Different/multiple primary functions per host | |
Enforcement of least privilege | In a vCloud environment, remote network access is the only available path offered to customers to manage their environment. Instead of physical access audits for equipment installation and modification, virtual system management software must be audited. |
Machine state and migration | The ability of systems to quickly change and move in a vCloud environment gives auditors a need to track authorization and related change controls. Separate and isolated networks should be used for data migration that is in the clear to avoid exposure of sensitive information. |
Data is much less permanent | Cloud environments make extensive use of short-lived instances. virtual machines may have a lifecycle far shorter than physical systems as they are easy to provision and repurpose. Systems also share data across large arrays in swap space. Permanence of data is also affected by environments that push as much storage as possible through high-speed memory to avoid the latency of spinning disks. |
Immaturity of monitoring solutions in vCloud environments | Customers need audit trails and views unique to their own use of the vCloud environment, which also supports incident response and investigations. Providers have to extend and develop log management and monitoring solutions to meet regulatory and client requirements for the vCloud environment. |