When we look at the Secure Hybrid Cloud, we notice a few things immediately, such as the need to look at how the data is moving, where the users are going, and the fact that they may never touch the data center component of the cloud at all. Our worldview has to change to be more user-, app-, and data-centric. Hybrid cloud security fails if we continue to consider our data center protections enough, as the bastions have moved and we may not know how that happened.
When we look at the hybrid cloud, we may not see all of it immediately. Actually, most security professionals look at this diagram (below) and proclaim that we are protected. They believe this because they think they can control all cloud interactions by forcing all traffic through their HW Edge firewall (Figure 1), when in reality the user may never touch the datacenter HW Edge firewall. For example, the user may access their SaaS Cloud via a smartphone and end up directly within Salesforce or somewhere else such as Dropbox.
Figure 1: Secure Hybrid Cloud
There are three parts to our secure hybrid cloud that are of interest:
- Transition – The transitional component of a secure hybrid cloud contains all items that allow access to or move data between multiple cloud instances, between those clouds and a data center or centers, or between the end user computing device and clouds and data centers. The transitional component is fairly fluid, yet traditional security approaches can play within this arena if the transition is contained within a controlled area. Unfortunately, that may not actually be the case. See these other posts:
- Cloud – The cloud includes all places outside our immediate control where data could end up or from which data could be taken. In some cases, it is even used to further our transitional goals. This is where APIs tend to live. However, the chances of adding traditional security into this aspect of the secure hybrid cloud are generally low without great expense (and the fact that you will end up in a managed hosted environment over a cloud). Check out these posts:
- Data Center – The data center is generally within our control and could be a private cloud or just a collection of virtual and physical machines. The data center may transfer data between multiple data centers or back and forth to and from the cloud. Within the data center, which is generally under our control, we can attempt to add in traditional security approaches. See the following posts:
However, that is not my use of the HW Edge. In some hybrid clouds, the HW Edge is nothing more than a gateway into the cloud from some physical end user computing devices, such as desktop computers, but the HW Edge may not be used for anything related to mobile devices. This implies that the vast majority of user interaction may never go through our HW Edge device.
Hybrid Cloud Transition: The Wild West
The hybrid cloud transition, as we discussed previously (see right), is the critical component of any secure hybrid cloud, as it is the area of the design that tracks user interaction, data motion, identity, etc. However, we can never forget the data center, either, regardless of how it is used. It could be a full-blown data center with thousands of systems, or it could be nothing more than a short stack of switches and a gateway for an office that uses only wireless devices. If it helps, consider remote office back-office (ROBO) deployments as the data center of the future. Very little remote data, all talking back to—yes, you got it—a cloud service and not actually a data center in your control.
So, the question arises: how do you apply controls within this new model? One method is to control how administrators access the cloud services; however, when you control your administrator access, the Wild West looks less wild. We all say to access our bank accounts from well-known locations; accessing the security controls of a cloud are just the same. Perhaps, all we have done is started a virtual desktop into which we have installed the necessary security management and automation software. From there, the software is like a spider. It automates the controls surrounding all aspects of the cloud, and in addition, you gain some level of auditable control over what administrators are actually doing within your secure hybrid cloud.
Control over users is a bit different and is where continuous monitoring, analytics, and good choices for cloud services come into play.
To gain control of at least your administrators, you must first understand how the cloud is being used, as well as which services are in use. Once you know this, you can properly choose the controls for the environment or at the very least monitor what is happening within the environment.
Closing Thoughts
You can gain back control of your secure hybrid cloud, but it will take quite a bit of work. You will want to understand what is currently in use, perhaps using tools from Sky High Networks. You then need to understand what data is proliferated around your hybrid cloud, perhaps by interacting with users and determining how they use cloud services. But the very first step is to perform some form of data classification, as you do not want to waste your time securing something that is not classified and unimportant. However, with proper data classification, you can then determine next steps.
Use the hardware edge firewall and security devices properly; do not assume all data moves through this device. Instead, assume that the only data moving through this device is the data that is already on-site and is perhaps migrating out to the cloud. Part of this understanding will start with data classification and end with understanding of user-,app-, and data-centric security, which moves the moats much closer to the data.
Have you classified your data? Do you understand how your data moves in and out, as well as around the clouds your organization uses?
Good article. Most organizations move to a hybrid cloud as it’s security and privacy are tighter than a public cloud but at the same time offering its flexibility such as load balancing . I work for McGladrey and there’s a whitepaper on cloud security risks and benefits of moving to the cloud that will interest a few readers. @ “Cloud risks striking a balance between savings and security”