This situation may sound familiar — your CEO, CIO, or another executive outside of the security organization summons you to a meeting. “We have decided to move [Enter unreasonable number here] of our business applications to the public cloud by [Enter impossible timeframe here]. And don’t tell us that security is an issue in the cloud — [Enter name of high-profile competitor here] has already saved millions of dollars by moving to the cloud — so do what you need to do to make sure we are secure.”
- Be Aware of the Risks
- Select the Right Security Controls
- Get Visibility Across the Entire Environment
- Segment Your Networks
- Improve Processes with Security Automation
- Place Ownership of Security in the Right Hands
Having secured network access in your data center for years using a mix of firewalls, IPSs, proxies, and other related devices from well-established vendors, you may naturally gravitate towards utilizing similar architecture for your IaaS environment as well. But after some digging, you discover network security across a hybrid cloud environment is still in its infancy and often confusing.
Here are six tips to help you plan your security strategy for moving to a hybrid IaaS environment.
While there are various risks associated with deploying business applications on an IaaS platform (see this blog post, Selecting the Right IaaS Platform: 8 Tips to Help Ensure You’re Secure, from security consultant Matt Pascucci for a great summary), I want to focus on a couple that are really key:
- Access control: Given the inherently open nature of the cloud, controlling access to cloud based applications is a lot more problematic than on premise data centers. Make sure to review the IaaS provider’s basic access control protocols and implement additional controls as needed, such as two factor authentication and monitor failed user access attempts.
- Data protection: This is another one of the top concerns for companies migrating to an IaaS platform. Don’t rely only on the IaaS provider’s protections. Add your own, such as encryption and DLP and make sure to segment and separate data and networks as much as possible.
There are three basic methods to secure network access on public clouds:
- Commercial firewalls. Commercial-grade firewalls for the public cloud do exist, but the level of support and functionality varies greatly between vendors. Their benefits include unified management with their respective on-premise firewalls as well as familiarity with how policies are defined and enforced. Cons include cost (although some vendors are now offering pay-as-you-go or bring-your-own-licenses pricing models), scalability, and a limited feature-set for some vendors.
- Cloud provided controls. Cloud providers usually provide their own security controls (e.g., Amazon Security Groups). These controls are generally free (definitely a pro!), and provide a good level of functionality. However, in many cases they lack enterprise-grade management and do not work across different cloud providers since every provider’s controls are different.
- Host-based firewalls. Since public IaaS is basically about spinning up compute instances you can leverage host based firewalls to control network access (e.g., IPTables). This is a good cross-cloud solution, but cons include management overhead and a limited feature set.
The network security controls landscape in the cloud is highly fragmented and there is no single, right answer when it comes to selecting the best option. And to make matters even more complex, this landscape is changing at a fast pace. Make sure you carefully evaluate the options and choose the security controls that best suit your business needs.
Visibility across the hybrid cloud environment is severely lacking, and without visibility you’re basically driving blind. Regardless of which security controls you choose, visibility across your hybrid environment is key to a successful migration and deployment. Make sure you implement controls that provide visibility across the entire hybrid environment.
The cloud creates a much wider attack surface for your organization. So while network segmentation is a priority in the data center, it’s even more critical when expanding into the cloud. Make sure to limit, as much as possible, access to your internal corporate networks from the IaaS platform. This will not only limit your exposure but will also improve incident response and reduce the scope (and time and efforts of your security audits — which your IaaS-based applications will now be subject to).
Hand in hand with visibility is security automation. Automation is the key to effectively migrating to and managing a hybrid environment — especially since you will be expected to manage security at the “speed of cloud.” When you’re trying to manage hundreds or even thousands of policy rules, automation is the only way. It’s no surprise that security change management fails because teams, often working in silos, use manual, time-consuming processes. So learn where your process breakdowns occur and use automation to address the problem and manage your environment. You’ll not only help reduce business outages and speed up application deployments in the cloud, but you’ll also get all the teams working together harmoniously for the benefit of business agility.
While allowing the different teams to work together using automation tools is critical to the success of your hybrid cloud environment, it’s also important to select the right team to lead your security effort. Our recent survey found that large and small companies struggled to assign responsibility for security in hybrid cloud environments. Should it be handled by the information security team (most common for larger organizations) or IT operations (most common for smaller organizations)? Or should the responsibility fall on platform providers? Make sure to align IT and information security roles and responsibilities for security management processes that work for your organization.
These are just a few suggestions to help you ensure security as you evaluate an IaaS platform and plan your move to a hybrid cloud environment. While it may all seem rather daunting, like many new initiatives it basically boils down to selecting the right tools, processes, and people to get the job done. Hopefully these suggestions will point you in the right direction.
This article was originally posted “6 Steps To A Secure Hybrid IaaS Environment” from Cloud Strategy Magazine.