Techniques for securing hybrid clouds and the software defined data centre
- 31 January, 2017 05:56
Sitting at the heart of every large organisation, the data centre has experienced fundamental change during the past decade. A strategy of consolidation was followed by the adoption of server virtualisation, evolving centres into the smaller and denser facilities seen today.
While these changes delivered benefits in terms of lower capital costs and reduced operational expenses, the job isn't finished. Organisations are now adding private cloud and software-defined data centre (SDDC) technologies to their mix. The goal is not only to further streamline IT infrastructures but to make them more responsive to business requirements.
According to research by ESG, 75% of organisations are making some use of public cloud services today. The survey found 23% of organisations are currently running between 41% and 50% of their applications and workloads in the cloud, and this proportion is growing by the month.
The security challenge
While cloud platforms and SDDC technologies clearly deliver some significant business benefits, they also bring some challenges when it comes to security.
A problem typically arises because, as organisations increase their usage of these technologies, they tend to fall behind when it comes to security. The reasons for this include:
- Lack of skills: Security teams often lack strong cloud computing skills and the gap is especially pronounced when it comes to cloud security. According to ESG research, a third of cyber-security professionals believe that cloud security represents the biggest skills deficiency within their organisations.
- Cloud automation and orchestration: These techniques are antithetical to security. Cloud computing tends to go hand-in-hand with agile development and DevOps orchestration, however these are designed to accelerate application delivery and maximise application performance rather than provide adequate security protection and oversight.
- Non alignment with cloud platforms: Traditional security monitoring and controls are not always aligned with cloud and SDDC. These controls were designed to reside on networks and servers to examine packets, detect anomalous activities, and block actions based upon set rules. These methods don’t always work well with cloud computing and SDDC as these technologies add virtualization technology, layers of abstraction, and physical distance to workloads and networks.
Achieving cloud security
Security teams are faced with either quickly improving their cloud security skills, processes and technologies or dealing with a future of ever-increasing and unacceptably high IT risk. The best strategy is to build on existing best practices and technologies and extend their support to cloud and SDDC.
To achieve synergy between security best practices, cloud platforms, and SDDC, the deployed security technologies should include:
- Familiar management tools and techniques: IT security teams must shift their perspectives to focus on securing workloads and cloud-based data rather than just servers and networks. For example, a cloud-based workload containing regulated data should be secured with similar controls and oversight as used for a mission-critical server residing on the corporate network. Similarly, SDN policies should emulate those associated with firewall rules and network segmentation. This should be done by extending management techniques for policy management, provisioning, and configuration management, based upon workload classification, location, and access requirements.
- Comprehensive visibility, monitoring, and reporting: Security teams can't manage what they can’t measure, and this applies to all security activities as they relate to physical, virtual, cloud, and SDDC infrastructures. Security teams also need security monitoring and analytics tools that cover this entire spectrum in order to mitigate risk, detect problems, and respond to incidents rapidly.
- Support for cloud automation and orchestration: Cloud and SDDC security management must be closely aligned with DevOps processes. This requires the ability to create security templates that automatically provision the right security controls based upon workload classification, regulatory compliance requirements, or corporate governance.
- Advanced security controls: New types of security controls are evolving in lock-step with the evolution of cloud and SDDC technology. For example, both cloud and SDDC technologies build upon network security with support for micro-segmentation, using software to create virtual network segments for communication only between assigned assets. Micro-segmentation can be an important first step in avoiding cyber-attacks within the virtual network.
- Heterogeneous technology support: Large organisations are increasingly following data centre strategies that incorporate open source, on-premise private cloud and SDDC technologies, and public cloud infrastructures. Cloud security tools must therefore integrate with leading cloud and SDDC technologies with common command-and-control management and reporting in order to provide enterprises with appropriate security oversight.
Cloud computing and SDDC represent a significant IT transition for organisations and require new skills, policies, and processes. While DevOps teams are progressing in these areas, many security teams have not been able to keep up with an accelerated pace. As a result, their organisations are at risk.
The solution is to marry security best practices with specific policies, processes, and controls designed for cloud and SDDC environments. These must include comprehensive monitoring, tight integration, and granular policy enforcement.
If this approach is taken, organisations can take advantage of all the benefits offered by cloud platforms and the SDDC while also knowing their IT infrastructures are secure at all times.