I’ve worn a lot of hats in my career, from investment banker to venture capitalist to business entrepreneur. And I’ve been fortunate to have been at the forefront of a number of technology waves, from mainframe to client/server computing, the Internet boom, and now the continuing rise of mobile and cloud computing. Each new wave brings technology disruption driven by an industry in transformation, and each enables new levels of efficiency and operational productivity. However, in line with that, each new wave also brings new security risks and operational concerns.

Virtualization and cloud technologies are no different. They’re bringing about the most significant data center transformation in the last 20 years, and are enabling enormous benefits in terms of cost savings, flexibility, and business agility. But at the same time, there’s been a correspondingly significant shift in the security risk posture. The new platform that cloud environments create brings together all an organization’s critical systems, applications, and data, which, in essence, leads to a concentration of risk. That on its own should get executives to stop, sit up, and take notice. Without the proper controls in place (as you can very well imagine) a data center–and thus business–disaster can ensue. Critical systems and data might be accessed, copied, and deleted in one fell swoop or at touch of a button. Servers that IT used to think of as physical boxes that can be racked and stacked are now simply sets of files. The data center is becoming a software abstraction that can entirely be managed remotely.

Further, in this new environment, godlike privileges are enabled over the entire set of virtualized resources. A single systems administrator—or someone hijacking someone’s privileges to escalate an attack—can copy a virtual machine or delete an entire virtual data center in a matter of minutes. Misconfigurations can now cause serious downtime owing to the greater number of systems. And, audit failures are more likely to happen given that now the new platform is subject to audit.

And we aren’t done yet. Technology is moving toward software-defined networks and storage to enable the “software-defined data center.” This concentrates risk further and creates additional security and compliance challenges.

Such radical changes demand a new approach to security and chain of trust—one that addresses these risks specifically. It’s more critical than ever, given these factors: (1) concentration of risk, as noted; (2) attackers becoming much more sophisticated; and (3) higher stakes, such as insider risk and data leaks, and advanced external threats and privilege hijacking and to escalate attacks. A few good examples include Edward Snowden’s leak of classified NSA documents; the theft of hundreds of millions of Target customers’ personal information; and the Adobe breach that compromised tens of millions of user accounts and payments information, not to mention top-secret source code.

The new chain of trust must start from the hardware as well as the virtual infrastructure, to ensure you can trust the operating systems and applications that are running on virtual machines. It needs to work across private, hybrid, and public clouds so that the policies required for workloads can be dictated and enforced automatically. And it must be tied to data security to ensure VMs are encrypted unless they’re running in authorized environments.

Looking ahead, cloud security from hardware-to-data will be critical to enabling faster adoption of cloud services.

This book is a great read for those looking to build secure foundations for cloud environments. As seasoned experts in virtualization, enterprise architectures, and security technologies, Raghu and Enrique provide a pivotal discussion of cloud security issues, the challenges companies face as they move into the cloud, and the infrastructure solution components required to address the new security requirements and controls.

—Eric Chiu, President & Co-Founder, Hytrust, Inc.