Orchestrate your hybrid IT security – The 5 top considerations

This article was originally published in IT Pro Portal on September 15, 2017.

Not long ago, many businesses were still in the infancy stage of understanding the potential flexibility and efficiency created by the cloud. Fast forward to 2017 – organizations of all shapes and sizes recognize the strength of cloud-based infrastructures. But just as each business is unique, their cloud environments are unique as well, and depending on organizational needs, many blend public cloud and private cloud, known as a hybrid cloud model.

See multi-cloud + container orchestration in action in the Cloudify Lab!

The hybrid IT or cloud model is perceived as the ideal environment, enabling your company to extract the maximum benefit from both public and private models. You can take advantage of the scalability and flexibility of the public model for less sensitive tasks while benefiting from the faster data transfer and increased privacy and security of the private model. The tighter control over security makes it a smart choice for businesses in industries with strict compliance and data privacy standards that still want to benefit from the public cloud scale and flexibility.

The Shared Responsibility Model
Security in the hybrid model is the responsibility of both you the customer and your public cloud service provider. This concept is known as the “cloud shared responsibility model,” which delineates the areas of responsibility between you and your vendor. The cloud service provider is responsible for managing the physical security of its data centers all the way to the hypervisor layer, and the customer is responsible for the security of the operating systems, data and applications running within the cloud. The most important part is that both you and the cloud service provider know exactly what the individual responsibilities are when it comes to protecting data and systems.

Considerations in the Hybrid Model 
Although security is one of the key reasons that businesses choose the hybrid model, the nature of the environment does lend itself to some security risks. If not properly structured and maintained, the varied architecture of the hybrid cloud model can create disruption as data flows in and out of the different cloud environments. Worse, it can leave your organization vulnerable to attack due to the lack of control and visibility created by all the moving data. Businesses that opt for the hybrid model over the fully private model, in which there is a less varied architecture and therefore less complexity, should be aware of these considerations when building their hybrid security strategy.
Let’s look at the top considerations that you should be prepared to deal with in the hybrid model:

Configuration Sync: You’ll need to make sure to sync and/or update network and security settings when moving servers between IaaS providers (including vLANs, security groups/zones, three tier architecture, firewall rules and more). For example, consider how you would make sure that if you have blocked access to a certain server in your internal OpenStack environment, the rule is then replicated to your AWS environment.

Auditing and Monitoring: When implementing a hybrid cloud model, consider how to monitor and react to events when something out of the ordinary takes place. If there isn’t a healthy monitoring process across all servers at all locations, and especially within the links connecting your on-premise and the public cloud, there will inevitably be a lack of visibility — and thus an inability to properly and effectively identify events. It is important to look for solutions that are compatible, and that connect and provide actionable intelligence across your entire IT infrastructure.

Identity Infrastructure: Identity Access is always complex and even more so in a hybrid cloud environment, so implementing a robust and uniform identity layer that spans all services in the cloud and on-prem is a must. As best practice for implementing an identity infrastructure solution, take care to design the appropriate entitlement structure, giving the right people access to the necessary resources at the appropriate times. However, identity within the hybrid cloud model has special considerations, as there are many discrete elements that need to be accounted for. For example, internally customers may have internal AD, but how do you manage the external services identity? How do you sync Users/Attributes/Roles to make sure your IT staff can access all services regardless of their location?

Compliance, Compliance, Compliance: Maintaining compliance in the hybrid model is more complicated than in traditional infrastructure. This is a natural consequence of the need to ensure compliancy of both your on-prem resources and the cloud-based ones, while simultaneously coordinating the efforts between them to demonstrate that you’re not losing control and visibility when moving workloads and data between providers. Another complicating factor is that each provider has its own encryption tools, audit formats and visibility options, leading to even more potential compliance issues. Auditors don’t necessarily understand the nuances of the hybrid cloud environment, so you have to demonstrate to them that the variety of configurations doesn’t hinder their ability to control data.

Lack of Qualified Experts: IaaS/PaaS environments are complicated, and you may have a hard time managing even one IaaS platform. Hybrid environments — with their multitude of services, terms and configuration items to account for — are even more complicated to understand and manage. Few and far between are experts who possess the necessary experience and skills (including traditional technical skills and a variety of meta-skills such as analysis and teamwork) to navigate the specific needs of a hybrid model, and chart a course of visibility and management across the multifaceted infrastructure.

Hybrid, the Cloud of the Future 
IDC estimates that the hybrid cloud market will grow to a mind-blowing $84 billion by 2019. However, adding more layers of hosted management and automation increases the complexity of the system, providing yet another attack vector for hackers. Granting outside parties some level of access to your internal resources means that if they are subject to a breach, you are likely to fall prey as well. In order to avoid these vulnerabilities, you should partner with cloud management and orchestration vendors that can support your workload mobility needs and resources orchestration while never forgetting the importance of hybrid security.