This post continues the discussion in my “The Cloud Mystery Machine” post.

Open Virtualization Format (OVF) is a good start for standardizing definitions for VM metadata; however, let’s not forget that today OVF is only used to import VMs to a proprietary virtual infrastructure, and has no use at runtime. That being said, if you move a workload to the cloud, do you know where it is? You may think “Why do I care?” Organizations concerned with issues such as data export restrictions and data privacy care. When using virtualization platforms in the cloud, some workloads will require the identification of the physical runtime location and physical data location. In addition, the location of the application execution in relation to other systems within the shared physical infrastructure is also important. An auditor should be able to collect such information via a standard query. Unfortunately, that’s not possible today. Today, thanks to OVF’s extensibility, it’s technically possible for a VM to communicate its security requirements to a service provider, although I have yet to see a cloud service provider use OVF in such a way.

Providing simple and industry recognized methods for identifying VM and data location in the cloud is a difficult problem to solve. Again, the question isn’t just about where, but also about the relationship to required isolation mechanisms, whether they be virtual or physical firewalls, isolated virtual or physical network segments, or isolated storage, for example. Of course, how the provider defines “isolated” is equally important.  Last year, I talked about the need for standardized cloud security models in this post. This is a difficult problem to solve, and that’s why all vendors that have a stake in cloud computing need to begin working on such standards today. And speaking of standards, unfortunately I doubt we’ll see an industry standard that addresses cloud infrastructure location and isolation issues anytime soon. Instead, I’m looking at vendor combinations such as VMware/EMC/RSA or Microsoft/Citrix/HP to deliver solutions that emerge as de facto standards in the coming years.