June 12, 2012 | Palo Alto, California: MetricStream, the market leader in Governance, Risk, and Compliance (GRC) solutions, has acquired TBD Networks, a San Jose, California based cloud transformation company and its vPanorama cloud GRC technology. By incorporating vPanorama into its IT-GRC solution, MetricStream will enable customers to seamlessly manage regulatory compliance, privacy requirements, security threats, vulnerability risks, and performance metrics across the entire spectrum of virtual assets in the cloud, as well as on-premise virtual infrastructure. The latter constitutes private clouds based on platforms such as VMware vSphere.
An increasing number of IT resources - including business-critical applications and highly sensitive data - are being moved into the cloud. While the cloud offers significant benefits in terms of efficiency, scalability, and economy, it also presents an entirely new set of security risks that IT organizations are only beginning to understand. In addition, the cloud increases the complexity of the IT environment - today companies are using a combination of both on-premise physical systems and virtualized IT infrastructure in the cloud which, in turn, may be private, public, or hybrid.
MetricStream offers IT security, risk, and compliance managers a simple, action-oriented way to monitor the virtualized environment alongside on-premise infrastructure. vPanorama's groundbreaking technology provides granular visibility into and control over security configuration assessments, continuous controls monitoring, risk management, and threat and vulnerability tracking. It also helps meet compliance requirements around industry standards, cross-border data transfer, service level agreements (SLAs), segregation of duties (SoDs), and general computer controls (GCC). The technology minimizes inefficiencies, and enhances the reliability and performance of the cloud infrastructure.
vPanorama, developed by TBD Networks under the VMware Technical Alliance Partner Program, has been the building block of some of the world's largest virtual environments, including the US Air Force's global network environment.
"Traditional IT operations are based on physical asset models and stable relationships between servers, networks, and storage elements. But with virtualization, system services and servers can be provisioned, replicated, updated, and de-provisioned with a single click; network and storage mappings are made fluid; VMs can be easily moved across and between enterprises, by-passing all traditional security controls," says Thomas Ludwig, CEO of TBD Networks. "Virtualization and the cloud have fundamentally changed the overall model of IT governance, and significantly impacted security and risk. vPanorama is designed for this new paradigm, and augments the MetricStream IT-GRC solution, delivering a panoramic view and a fine-grained management framework for heterogeneous virtual environments."
"With the acquisition of vPanorama, MetricStream breaks new ground in IT security, risk, and compliance management. It brings to market the only IT-GRC solution that enables the highest and most consistent level of assurance and control for both cloud infrastructure and on-premise systems," says Shellye Archambeau, CEO of MetricStream. "Companies need to relook at their IT-GRC strategies and incorporate cloud GRC so that they can confidently embrace virtual infrastructure, and fully harness the power of cloud computing. With the help of MetricStream, customers, for the first time, can get clear visibility into and exercise control over their compliance status and risk posture in the cloud."
The U.S. National Institute of Standards and Technology (NIST) and the Cloud Security Alliance (CSA) view cloud GRC as a critical issue. NIST recently released a draft of Special Publication 800-144, "Guidelines on Security and Privacy in Public Cloud Computing," which recommends steps to be taken in nine topical areas: Governance, Compliance, Trust, Architecture, Identity and Access Management, Software Isolation, Data Protection, Availability, and Incident Response.
The CSA makes similar recommendations in v2.1 of the CSA Guide - "Effective governance and enterprise risk management in Cloud Computing environments follows from well-developed information security governance processes, as part of the organization's overall corporate governance obligations of due care." The report goes on to say, "The fundamental issues of governance and enterprise risk management in Cloud Computing concern the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management, and compliance."
As part of the acquisition, the TBD Networks team will join MetricStream to drive product innovation and R&D around how enterprises should respond to emerging risks from virtualized infrastructure, mobiles devices, reliance on managed service providers, cloud applications, digital and social media, and the resulting Big Data.