With the diversity of cloud’s available today, data being sent from one to another could appear to be a hodge-podge of security. As one colleague put it recently when I asked what he was expecting to maintain integrity of data in motion between clouds:
“… what kind of kludge can things end up being when you have multiple connections to multiple hybrid clouds all doing different things” — Steve Beaver
So how does data transfer between the clouds? Is it a kludge? or can it be done using a uniform security policy, procedures, and protocols while maintaining Integrity and Confidentiality and auditability?
The answer is not very straight forward, in 3/24 Virtualization Security Podcast we discussed Architectural is within the virtual environment and the cloud. The answer to this question depends on architecture of an environment as well as what Security as a Service protocols are required. So if we were to bundle Zscaler, Cloud Passage, with a Hybrid Cloud using vSphere, what inter-cloud connections would exist and how would we protect them?
- For vSphere, transfer of data from one cloud to another is achieved using vShield Edge’s IPsec based Tunnel established between two clouds or use another solution like Afore Systems to achieve the same goal. Cloud to Cloud traffic is encrypted via some tunnel.
- For Zscaler you could use standard protocols or an encrypted GRE tunnel.
- For Cloud Passage there is an AES128 Tunnel from the Halo Daemon to the Halo Grid.
So when using these three components within an hybrid cloud (where 1 component of the cloud is within the enterprise domain and one component is within a cloud provider’s domain) there are at least 3 secure connections involved, all using different ports and protocols. But there could also be more! You need to also answer the following questions:
- Where will customer/partner/employee’s be entering the cloud?
- Will the customer/partner/employer require an encrypted access point?
For typical web traffic, this often implies use of SSL by customers, but could require a VPN for partner or employee access as they often have to access different data than customers. So the question then becomes how can these controls also flow between the components of the hybrid cloud? Which also leads to the question of where do you perform load balancing as very few enterprises have just one web server. So now we have other questions to answer.
- Is a VPN required for access to internal web data by partners and employees?
- Is SSL required by customers?
- Where does the back-end databases live? Is data encrypted going to these databases?
- What is the latency of data moving between clouds, can this be improved?
- Where is the primary load balancer located or is DNS load balancing going to be used to send data to regional clouds?
- If a regional cloud is going to be used, how do we handle jurisdictional issues, such as someone who works in the EU, always connecting to an EU regional cloud instead of one with another country outside the EU when they travel?
This is quite a bit to think about and even more questions to ask, and it all stemmed from the question of
“… what kind of kludge can things end up being when you have multiple connections to multiple hybrid clouds all doing different things” — Steve Beaver
When you plan on going to the cloud whether it be private, hybrid, or public. The key is to fully understand how your data will move between the clouds, and how you plan on handling different types of data and ultimately where that data will live, even temporarily. With the ultimate question being:
How to achieve Integrity and Confidentiality of your data when it is within the cloud?
You must start with a good Cloud Architecture that includes security concerns from the beginning. Understanding the technologies you wish to use will be crucial.
This is great stuff. Thank you.
Where we’re seeing problems with our customers is with how to manage all of this from a contractual and financial basis. Cloud may be an outstanding approach, and security is unquestionably vital, but IT still has to deliver services at a price – and, will have to manage the contractual and financial issues even if a company goes all Cloud and outsourcing.
Another issue that is attached to this is how companies are not managing their software proactively to ensure they are staying in budget. When server managers handled all the needs of their servers that sort of management was included. Now, with Request through Provisioning automated, software costs from VM sprawl can spin out of control – the old-fashioned, after-the-fact management isn’t working. One of our customers had a software true-up, with one vendor, of 21% of their IT budget – all the savings from consolidation and virtualization wiped out and more.
As we automate the high-speed provisioning of VM, LPAR, VDI, and Cloud – we need to be mindful of the including in the same kinds of management controls over software that we have for hardware – financial approvals based upon a delegation of authority, in advance of the expenditure, segregation of duties, etc. Else, some companies are failing to levels that are causing material misstatements and failure of corporate audit.
Hello Cary,
More great insight. It is so easy to put things in the virtual environment and with ITaaS within the cloud, so now we have to be cognizant of licensing costs, etc. I think this would need to be built into ITaaS provisioning tools to tell me if I will exceed my licensing or utilization chargeback limits and then do something intelligent with this prediction.
Management controls are going to have to change going forward, whether this will or not depends on the compliance controls used for the Cloud and how everything translates when a Cloud is in use. At the moment we are not seeing much translation, but application of the same set of controls. While some do apply many do not.
Best regards,
Edward L. Haletky