If you have a hybrid cloud, you’ve had to deal with security. Whether you are pairing private and public cloud or running a complex, multi-cloud architecture, security is one of those areas where you can throw a lot of technology at the problem without getting results. What you need is the right mix of strategy and planning, followed by technology selection. You also need a single security toolset that covers public, private, and on-premises systems.
So what’s a hybrid cloud owner to do? It’s really a matter of thinking differently—and holistically. It’s a matter of not getting bogged down with the technology too early and understanding that you need to do a lot of strategic planning before selecting and implementing a technology.
Be proactive about security and don’t leave out any existing systems
One common mistake IT security professionals make is to leave existing enterprise systems out of the planning process. Include them in your overall hybrid cloud security strategy, as well as your tool selection process. Your objective should be to form a larger layer of abstraction over and above private clouds, public clouds, and traditional legacy systems so that you can manage everything from a single pane of glass and avoid dealing with the complexity of each platform.
You need to be proactive. The breaches that have made the news of late have been largely due to two problems:
- The platform owners did not update the systems to deal with emerging vulnerabilities.
- They didn’t perform the kind of proactive monitoring that would have spotted the threats before they actually became breaches.
With millions of dollars paid out in settlements around these breaches, the concept of proactive security is beginning to ring clear in boardrooms, as well as within enterprise IT.
Security systems should exist above the cloud
As the figure below illustrates, the ideal security system should exist above the private cloud, the public cloud, and traditional systems (bare metal). In the past, you managed security at the platform level, hoping that user IDs and passwords would protect platforms from unauthorized use. Those assumptions were flawed.
Figure: Hybrid cloud security should exist over all cloud platforms and encompass most major security systems.
The security systems sitting above the platform consist of a collection of security services that support all platforms, both cloud and non-cloud. While most people think this leads to a least-common-denominator approach, where security can’t be all things to all platforms, the reality is that you’re leveraging tools that are designed to secure diverse, distributed platforms.
Include identity and access management (IAM) systems at the core of your security stack. IAM provides a means of assigning identities to services, resources, people, applications, etc., on any platform and grants access based upon identities that are authorized to access other identities. This should be the core security system in a hybrid cloud solution that includes enterprise systems, because it’s designed to sit above many different systems and provide a common set of security services. Other security systems include:
- Encryption. You need it to deal with data at rest, and your in-flight data needs to be encrypted for security and compliance reasons. Bear in mind that encryption is typically overused and that you pay a performance penalty when you encrypt everything. However, it’s worth it to invest in tools to manage encryption services, and key management as well, if you use encryption a great deal.
- Governance is the process of placing polices around resources, services (such as APIs), or data to define how people can access those things. Governance should work across cloud and non-cloud systems to ensure that resources are not accessed out-of-policy and that users do not saturate those resources. Policies are centrally defined, and resources should only be accessible once cleared by the governance system, as well as whatever security tools you have in place.
- Compliance is directly related to governance. You can use compliance tools to create and manage policies that link defined processes and limitations that you must place on hybrid and on-premises systems in order to comply with laws and regulations. For example, some parts from your database may only be accessed from requests that come from certain countries. If you create a policy that enforces this limitation, your cloud and non-cloud systems will be compliant. Moreover, you need logging to create an audit trail so that others can understand what occurred and to ensure that you are in compliance with laws.
- Usage-based accounting means that you’re monitoring the use of cloud and non-cloud systems by recording what resources have been expended and by whom. For example, if the warehouse is using 60 percent more public cloud services than budgeted, usage-based accounting makes you aware of that so that you can correct the issue. Moreover, you can use these tools to predict future use, as well as adherence to SLAs (service level agreements). As with public cloud services, internal systems, such as legacy and private cloud, aren’t free. If you over- or under-use those systems, you’ll cost the business money in terms of unnecessary hardware refreshes and the opportunity cost of having underutilized resources.
- Orchestration systems let you configure all of the platforms in your hybrid cloud architecture and traditional systems so that you can use services and resources from each platform, as well as from the systems above those platforms. Applications might be using a storage service from a public cloud, processing services from a private cloud, and receiving input from an on-premises, legacy system. These orchestrations need to coexist with IAM and encryption.
- Security monitoring is vital. Enterprises that use proactive security monitoring mechanisms and approaches can spot and fight attacks in a timely manner, before they result in a break-in. Unfortunately, many companies only discover after a breach that attacks had been going on during the days or weeks leading up to the event.
When people hear the term security monitoring, they tend to visualize a human staring at a screen displaying graphs and alarms. It’s more like a security-oriented governance system in which you’re setting up policies that define limits. When those limits are exceeded, the system takes action immediately. For instance, if there are several attempts to log into a storage system from outside of the country or from a country where you aren’t likely to have a legitimate user, the monitoring system can automatically block that IP address until a security admin can review what’s going on. This applies to public, private, and legacy systems.
Understanding your enterprise system security requirements first
When addressing hybrid cloud security, start by understanding your own requirements. Enterprise IT organizations have a tendency to move in the same direction as their peers, but your own unique needs should define the right security solution for your organization.
To get a grip on those requirements, you must understand:
- The vertical market that you’re in, including any compliance issues that you need to understand.
- The systems you need to secure. This includes public clouds, private clouds, and legacy systems, all of which should fall under the same security umbrella.
- Performance and SLA issues, including internal SLAs and SLAs related to public cloud providers. You must maintain SLAs in the context of your security system.
- Security use cases. How will attacks likely occur? How will you spot them on each platform? Also, what automated, corrective action will you take?
This gets pretty involved, as it should. This is the kind of systemic security you need if you want to to drive your enterprise and cloud systems for the next several years. It’s all about strategy and understanding what details are important. You must deal with the interfaces to your legacy systems, as well as how the IAM system should work across all systems. That includes public clouds, private clouds, and traditional, on-premises systems.
Don’t leave out legacy systems
Too many enterprises still leave legacy out of the security system strategy. They consider cloud-based platforms as more modern and thus falsely assume that those need modern security approaches that will be incompatible with legacy systems.
But unless you include all of the systems that drive enterprise applications and data, your security strategy will have massive holes in it that attackers will quickly find.
Legacy systems, although different and even more expensive to secure, become the entry point of choice that allows access to private and public cloud systems through the back-end integrations that often exist. You need to think systemic security or you will raise the level of risk.
While this seems like a lot of work, the reality is that it’s only a few months of effort, at the most, for most Global 2000 enterprises to define their requirements. That’s where most of the thinking and planning happens, and then it’s a matter of picking the right technology, which is the easy part.
But then you move to a security operations (SecOps) posture, and that becomes an exercise in persistence, repeatability, and continuous improvement to keep yourself off the morning news.
While it’s not an easy trick for choosing the right hybrid cloud security tools—it’s a simple, straightforward one: Do a thorough job strategically planning the requirements and scope before selecting and implementing a technology.