Catbird, a specialist in supplying virtual machine security, will be the source of a new Amazon cloud application that supplies security surveillance to virtual machines running in EC2.

The fact that a security system is monitoring virtual machines and is ready to enforce SOX, PCI and HIPAA policies brings cloud workloads into compliance with those regulations, said Michael Berman, Catbird CTO. If he's correct, then a major barrier to offloading IT workloads from the enterprise data center to the cloud may have found a solution.

In addition to Catbird, many security companies are working on surveillance systems for monitoring virtual machines running in cloud computing environments, including Trend Micro and McAfee. VMware has published a VMsafe API through which such companies may connect their monitoring and policy systems to the virtual machine.

A version of Catbird's vSecurity Cloud Edition is available as an application in Amazon's EC2-approved catalog of application services; thus far it is the only security service available in EC2. By tapping the Catbird application, a customer can provision an EC2 server with Catbird to monitor the operation of virtual servers running his or her workload. Doing so satisfies one of the primary requirements of SOX, PCI and HIPAA regulations, even though the workload has left the user's premises and is being executed in the cloud.

"You can't be PCI compliant without vulnerability monitoring," Berman said. That's made it hard to conceive of some workloads moving out of the data center to be executed in a public cloud, where the data owner doesn't control the security provisions of the servers.

But the Catbird service, which amounts to the customer commissioning another Amazon Machine Image virtual server and paying Amazon's hourly charges as well as the Catbird subscription, can sit next to the running virtual machines, monitoring their network traffic and analyzing it for trouble.

In addition to PCI, HIPAA, and SOX, the service can monitor for DIACAP compliance, COBIT, or Control Objectives for Information and related Technologies, a best practices framework for IT operations set up by the IT Governance Institute; and FISMA, the Federal Information Security Management Act of 2002, compliance.

"We do port scanning," said Berman, referring to the checking of server ports to see whether they are closed in the Amazon setting rather than open and subject to an intruder. "Is a port open when it shouldn't be? That's a vulnerability" that's not allowed under various regulations, he noted. The security monitor performs many other vulnerability detection functions, such as blocking cross-site scripting attempts.