Beruflich Dokumente
Kultur Dokumente
White Paper
Contents
Executive Summary ................................................................................................................................................................. 3
The Transformation of the Data Center to a Hybrid Cloud..................................................................................................... 3
Business Agility Is Driving the Journey to the Cloud ........................................................................................................... 3
The Multiple Dimensions of Today’s Hybrid Clouds ........................................................................................................... 4
The Evolving Role of IT ........................................................................................................................................................ 6
Collaborating with Internal Stakeholders ....................................................................................................................... 6
Partnering with External Cloud Service Providers .......................................................................................................... 7
The Technology of Hybrid Clouds ........................................................................................................................................... 7
The Shifting Perimeter in Workload-centric Infrastructures .............................................................................................. 7
The Dynamics of Immutable Infrastructure ........................................................................................................................ 8
Risks and Threats in a Hybrid Context ................................................................................................................................ 9
Best Practices for the Alignment of Hybrid Cloud Security Initiatives .................................................................................... 9
Business Considerations ................................................................................................................................................... 10
Technical Considerations .................................................................................................................................................. 11
Attributes of Purposeful Hybrid Cloud Security Solutions .................................................................................................... 13
Flexible Deployment and Delivery Options with Centralized Control Plane .................................................................... 13
Support for Workload Tags for Policy Assignment and Management.............................................................................. 13
Broad Platform Coverage .................................................................................................................................................. 14
Depth of Functionality for Workload-appropriate Controls ............................................................................................. 14
Proven in Multiple Environments ..................................................................................................................................... 14
The Bigger Truth.................................................................................................................................................................... 14
Executive Summary
Originally a United States Federal government mandate, “Cloud First” now represents a strategic imperative for many
private and public sector enterprises via which new IT projects are delivered with cloud services. The result? Data assets
are distributed across hybrid clouds, creating the need to unify security controls across disparate infrastructures. With this
cloud initiative comes a new set of methodologies changing how software is developed (e.g., Agile) and infrastructure is
managed (i.e., DevOps). These new disciplines have also created new constituents in the planning, delivery, and
management of these environments—application development (AppDev) and infrastructure management (DevOps). What
is also new is the business model of the cloud; IT-as-a-service is based on a self-service utility approach for the on-demand
provisioning of computing resources metered with consumption-based pricing. And suffice to say that there is confusion
around many of the terms associated with the cloud, obfuscating how to best secure this distributed and abstracted data
center architecture.
Hybrid clouds represent the new normal for data centers, which, in turn, warrants a new security model—one that is
grounded in an understanding about what is different about cloud infrastructure. IT and security professionals are well
aware of the need to retool for this new normal, with 80% of respondents in research conducted by ESG noting that the
security (i.e., policies, processes, technologies, and skills) associated with their on-premises infrastructure and applications
is more mature than that for their organization’s use of public cloud services. 1 Given strong adoption of cloud services, a
strategy for securing hybrid clouds is a must for organizations that currently, or plan to, leverage the benefits of the cloud.
This white paper explores both the business and technical dimensions of hybrid cloud security with an optimistic
perspective of treating the journey to the cloud as an opportunity to improve one’s security posture.
In contrast to those companies that have been born in the cloud, more traditional organizations are embarking on a
journey to the cloud, typically by migrating an existing application, or deploying a new one to the cloud, while others start
by utilizing the cloud as a storage target, including for disaster recovery. As organizations compare time to deployment of
an on-premises application inclusive of RFIs, data center build outs, and so on, with the near “instant-on” availability of
cloud services, many choose to deploy more application workloads in and move data sets to the cloud, often fluidly for
scale and resource optimization. At the same time, legacy applications, and especially sensitive corporate data assets, may
remain on-premises with the resulting two types of infrastructures representing a hybrid cloud.
The cloud also offers financial agility with respect to the utility-based services model whereby businesses pay for what they
use. Prior attempts by IT to implement a similar model via chargeback accounting failed largely due to the lack of true on-
1 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.
demand utility services to correlate to utility pricing. Cloud computing makes this financial model not only possible, but
also a business driver for moving to the cloud.
Most would agree that public cloud services can be defined as software-as-a-service (SaaS), infrastructure-as-a-service
(IaaS), and platform-as-a-service (PaaS) offerings that are hosted and managed by a third party, usually in a multi-tenant
environment and made available on-demand via a self-service interface with granular subscription-based pricing. However,
the definition of a private cloud is less clear, with some citing a virtualized server environment and others pointing to a
customer managed self-service model for on-demand compute and storage. Participants in ESG research indicated not
only that they are currently using private clouds, with 48% stating they are already doing this extensively, but also that
private clouds are becoming heterogeneous, with 34% noting that they have deployed two or more types of private clouds,
including OpenStack, VMware vCloud, and others. 2
Public cloud consumption is also becoming more heterogeneous, with customers increasingly choosing best-of-breed
public cloud providers. For example, for a web application, an organization may choose a CSP that also offers a native
content delivery network (CDN). The same company may also choose another public cloud provider for computationally
intensive applications such as analytics. And, of course, most companies seek pricing leverage by employing a multi-vendor
strategy for technology procurement. This trend toward multi-clouds is reflected in ESG research in which 47% of
respondents reported that they are already migrating workloads to two or more public cloud service providers either
somewhat or extensively (see Figure 2).
The choice of private, public, virtualized, and bare metal server environments provides customers the ability to arbitrate
the location of both application workloads and data sets: The web tier may be in the cloud, but the database is on-
premises, with the archive of that database replicated to cloud storage. Given the adoption dynamics of private and public
clouds, along with the fact that some elements of an application stack will remain on-premises, hybrid clouds are becoming
increasingly multidimensional, requiring organizations to retool how they secure their IT assets. While optionality is desired
2Source: ESG Custom Research, Cloud Security Challenges Survey, January 2016. All ESG research references and charts in this white paper have
been taken from this custom research survey unless otherwise noted.
for infrastructure, unification and consistency are paramount to secure it. Participants in research conducted by ESG agree,
with maintaining strong and consistent security across disparate cloud computing technologies and services being the
most-cited cloud security challenge (see Figure 3). 3
The advent of shadow IT—whereby applications, as well as infrastructure, are used by business units without the
involvement or oversight of IT—is a reality for nearly all organizations. Shadow IT creates visibility gaps void of security
controls, creating a risk of data loss and new attack vectors. The self-service model of SaaS, IaaS, and PaaS creates a level of
empowerment in the lines of business, requiring IT to adopt an “embrace and enable” approach to the fundamental
business requirement of greater agility.
3 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.
Cloud computing moves at a notably faster pace, the speed of DevOps. In the context of established IT processes
characterized by approvals and authorizations to the provisioning of new IT services, it can seem irresponsible to move at
the speed of the cloud, but this too is part of the new normal. ESG research reflects this concern, with 31% of respondents
citing that keeping up with the rapid and temporal nature of cloud computing is one of their organization’s biggest cloud
security challenges (see Figure 3). 4 However, a DevOps approach of continuous development (Agile), integration, testing,
delivery, and monitoring is not intended to disenfranchise IT, but rather to codify agility. For alignment, business unit and
IT leaders should establish cross-functional teams to both plan and synchronize the longer-term strategic initiatives as well
as the more tactical projects, typically in the form of agile sprints with daily scrums.
Core to successfully partnering with external cloud services providers (CSPs) is a clear understanding of the shared
responsibility security model that prescribes the division of responsibility for securing the stack. In any shared responsibility
model, whether it’s for SaaS, IaaS, or PaaS, the customer is responsible for their data, with many CSPs offering native data
security controls—most notable is encryption. For infrastructure-as-a-service, the customer is also responsible for securing
the workload, inclusive of the operating system and application (i.e., above the hypervisor).
While CSPs will likely be compliant with a wide variety of industry regulations, the scope of these certifications is related to
those portions of the stack for which they are responsible. For example, as a service provider, CSPs will typically provide
SOC 2 and 3 reports demonstrating compliance with SSAE 16 standards. Customers, in turn, will need to take charge of
attaining and maintaining compliance with industry regulations, which includes eCommerce vendors needing to attain and
maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) and health care organizations
signing Business Associate Agreements for compliance with the Health Insurance Portability Accountability Act (HIPAA).
Organizations operating in the European Union will also need to consider the applicability of the General Data Protection
Regulation (GDPR) to their use of the cloud.
In short, customers cannot abdicate either security or regulatory compliance to their cloud service provider and need to
partner with their provider on a clear delineation of responsibility.
4 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.
ESG research indicates that organizations have experienced a variety of workload-related challenges when it comes to
monitoring cloud infrastructure (see Figure 4).
Figure 4. Challenges Monitoring the Security of Applications, Workloads, and Data on Cloud Infrastructure
Which of the following challenges has your organization experienced with regard to
monitoring the security of applications, workloads, and data residing on cloud
infrastructure? (Percent of respondents, N=298, three responses accepted)
Various IT and/or business units have adopted cloud
computing over the past few years so the security team is 38%
now catching up on security monitoring
Cloud security monitoring requires greater scalability for
36%
security data capture, process, and analysis
Each cloud infrastructure technology is distinct so we can’t
always get consistent security monitoring across diverse 31%
cloud infrastructure
My organization has a limited number of cybersecurity
personnel, so cloud security monitoring has placed an 30%
additional burden on the existing team
Monitoring cloud can require lots of work for connecting
29%
security monitoring tools to cloud platforms via APIs
My organization’s cybersecurity team does not have
adequate cloud security monitoring skills in place today so 28%
we are learning as we go
Cloud security introduces “blind spots” where we don’t
28%
have adequate visibility for security monitoring
And while Linux is often the default operating system in the public cloud portion of a hybrid cloud, Windows-based
workloads to support preexisting apps such as SharePoint create a heterogeneous workload operating system footprint.
which a new fleet of workloads based on an updated configuration can be deployed from test into production, making the
prior set entirely disposable.
• Inconsistent controls and policies: The use of different tools by different personnel to secure different portions of
a hybrid cloud will likely lead to inconsistent configurations and policies from IDS and firewall rules to integrity
monitoring settings, creating vulnerabilities adversaries will seek to exploit. Developing expertise in and managing
the infrastructure for multiple solutions also creates greater operational overhead.
• Replicated attack surface area: Workloads containing vulnerable software and configurations that are replicated
via an auto-scaling group effectively replicate the attack surface area.
• Invisible use of stolen API credentials: The insecure and malicious use of API keys can go undetected by traditional
security controls, resulting in not only data loss, but also potentially the use of that footprint for nefarious
purposes, and even the loss of an organization’s cloud footprint.
• Inadvertent externally facing workloads: The provisioning of workloads without policy and controls, specifically
host-based firewalls, can result in externally facing IPs that will nearly instantly be subject to port scanning by bad
actors. Although this has been a risk largely associated with public cloud IaaS, in a software-defined data center
where the workloads in a private cloud can be API-driven, they may also be improperly configured by a dev or test
team creating an entry point, which exposes the rest of the infrastructure.
• Insecure automation servers: Compromising automation servers, which hold the blueprints for server
configurations, can result in the introduction of backdoors and more.
• Jump hosts that can cut both ways: Intended to shield workloads from attack methods, such as port scanning, by
not being externally facing, compromised jump hosts can also offer one-to-many access for hackers.
• Lack of auto-assignment of policy: Security products that do not support workload tags will not then support the
auto-assignment of policies to protect new workloads upon instantiation.
As is the case with traditional data centers, a set of best practices put into action with purpose-built solutions can
effectively address these and other risks associated with hybrid clouds.
Figure 5. Abandonment of Traditional Security Policies and Technologies for Cloud Security
Has your organization had to abandon its use of any traditional security policies or
technologies because it couldn’t be used effectively for cloud security? (Percent of
respondents, N=303)
The central themes of the following best practices are organizational alignment and consistency across the workloads that
comprise a hybrid cloud. Some retooling may be required across skill development, tools, and processes. As such, it is
important to consider business-related best practices as enablers to implementing technical best practices.
Business Considerations
The noted differences in the IT-as-a-service business model warrant considering a few organizational and business-related
best practices.
• Embrace cloud security as a team sport. Agile software development, shadow IT, and DevOps have resulted in a
new set of seats at the table for the planning, procurement, and securing of hybrid clouds, with the AppDev
teams typically representing the lines of business. While security professionals tend to be cautious by nature and
methodical in their approach, those with an AppDev and DevOps orientation may seem cavalier. IT leadership
that embraces cloud security as a team sport will facilitate bringing a DevOps approach to the on-premises
infrastructure for greater agility and security best practices to the cloud for asset protection. Doing so rightfully
validates the importance of each to help the organization move quickly but safely.
• Communicate with full transparency. As noted above, there are new internal stakeholders involved in securing
hybrid clouds with external stakeholders, including business partners—suppliers, channels, contractors, and
more. Team members charged with implementation should agree on a set of goals and objectives, so success
criteria are clear. More specifically, cross-functional teams will want to convey how the transition of resources
(i.e., applications, data sets, and security controls) will affect business units. This inventory of assets should
include a risk assessment to identify the most mission-critical applications and sensitive data sets.
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 11
• Align on the economics. Organizations should seek solutions that allow them to pay for security as they do for the
infrastructure being protected, as a way to align cost with the value realized. Doing so will depend, in part, on
where the respective workload resides. Examples of such models include:
Metered. This consumption-based model is applicable for securing auto-scaling environments in which
server workload instances may only exist for a few hours, in that both the workload and security controls
are metered per hour.
Reserved instances/per server. For on-premises data centers, the number of servers is often known and
serves a natural way to purchase security, on a perpetual or yearly basis. In the cloud, some organizations
will reserve instances for pricing advantages. Security controls should also support per annum models so
that, again, the entity being secured is priced in the same way as the security control to protect it.
Per CPU. For on-premises data centers, many organizations, including those operating IT-as-a-service, will
prefer a CPU-based pricing model.
Technical Considerations
• Segment environments, duties, and access with least privilege. The best practice of granting only the least amount
of privileges required for an individual to get her job done should be applied in multiple dimensions in a hybrid
cloud environment.
Segment dev, test, and prod environments. Developers creating a dev environment are unlikely to apply
security controls. As such, their environment, as well the test environment, should be segmented off from
production.
By storage and compute. Further segmenting by storage and compute protects data assets.
By role. Segmentation of duties by role is essential for preventing the unauthorized or accidental use of
high-privileged credentials to access key assets. Doing so protects against both stolen credentials and the
insider threat.
API Keys. While API keys should be used for resource access and provisioning, so too should least privilege
be applied for those keys that allow access to the most sensitive portions of the hybrid cloud.
• Mind the visibility gap. The security truism that “you can’t secure what don’t you have” is especially true in cloud
environments where workloads are transient and the CSP manages from the “hypervisor down.” Visibility in this
context has two dimensions:
Inventory of assets. An inventory should include both on-premises and cloud-resident assets, including key
control points, both physical (network-based egress security controls) and logical (API keys and cloud
accounts). Asset management software, employing a configuration management database (CMDB), and
especially solutions that auto-discover newly provisioned workloads provide this aspect of visibility.
Continuous monitoring. Activity around inventoried resources should be monitored continuously, including
the use of API keys via logging and the provisioning of new workloads that could represent an insecure
amount of sprawl. Workload monitoring should include system activity (intra) and network (inter).
• Extend the security model with workload-appropriate controls. As noted above, hybrid clouds are characterized by
shifting perimeters and thus require a workload-centric security model. Network controls are still essential, of
course, but as temporal workloads come and go, and others migrate to the cloud for scale, a location-agnostic
approach to augment those network controls is required. Server tags are core to this model so that policy by
workload type can be applied. In addition to applying consistent firewall rules and monitoring for changes to
those rules, employing anomaly-based intrusion detection is highly appropriate within auto-scaling groups in
which there should be no drift from standard configurations and behaviors. Deviations that could be indicative of
a compromise include:
File system changes, specifically those containing critical files and sensitive data.
Logins outside the norm (e.g., during odd times or from strange locations).
Correlation between processes and network traffic (e.g., Why would the Apache web server process
communicate with an IP in Eastern Europe?).
Organizations should also consider application controls for fixed function workloads such as automation servers
and bastion hosts to augment the visibility provided with continuous monitoring.
• Automate via SecDevOps. Automation via continuous integration, testing, development, and monitoring is the
conveyor belt workflow at the core of DevOps. This level of automation should be applied to security for the same
operational benefits and to ensure that security controls are bolted in, not bolted on—thus representing a
SecDevOps methodology. Related best practices include:
Auto-assignment of policy-based security controls. Based on tags that denote the role of the workload,
security controls should be automatically included in the configuration of all new workloads so that each is
protected from the time of instantiation, both in the data center and in the cloud.
Automated vulnerability scanning in the test environment. Scanning for vulnerabilities in test environments
identifies issues before apps get deployed to production so workload configurations can be updated to
ensure that only the latest releases of the software stack are deployed in production.
Virtual patching. Monitoring for the behavior of an exploit in production helps close the vulnerability gap
until new workloads can be provisioned as part of an immutable infrastructure, or until workloads can be
patched in the data center.
Automated penetration testing. Conducting port scanning and other testing will help verify that patches
have been applied and firewall rules are current.
• Employ purpose-built security solutions that extend native controls. A “better together” strategy with respect to
the use of security technologies should be employed. Native controls such as host firewalls, encryption, and
identity and access management (IAM) provide a strong foundational baseline. The more multidimensional the
hybrid cloud, the more critical unified controls are to ensure consistency across disparate infrastructures. An
example of such an approach is the use of multi-factor authentication (MFA) for access to critical resources and
continuous monitoring to detect anomalous login attempts—a “trust but verify” practice that will require native
and best-of-breed third-party controls.
What is your organization’s most desired security attribute when it comes to securing cloud
infrastructure? (Percent of respondents, N=303)
Stateful (i.e., security
policies maintain
Automation, 3% Extensibility (i.e., ability
consistent, even as they
to extend across both
move throughout the IT
heterogeneous
environment), 7%
infrastructure), 22%
Deep visibility (i.e., at
application or workload
layer), 8%
Pervasiveness (i.e.,
exists throughout entire
IT environment - from
public to on-premises),
8% Scalability (i.e., ability to
scale up or down
appropriately with cloud
Manageability, 10% resources), 21%
Infrastructure-agnostic
(i.e., independent of the
underlying IT
infrastructure), 20%
With this context, the functional requirements, and other attributes, of a purposeful hybrid cloud security solution can be
expressed in the following dimensions.
application level) to streamline policy assignment. In addition to the use of tags for policy assignment, the management
console should also allow for the ability to manage by tag (i.e., view reports, events, and alerts). The use of tags should also
extend to role-based access control (RBAC) for a least privilege approach to setting policy and monitoring status.
• System integrity monitoring across multiple aspects of system activity, including processes, file system, logins, and
netflow.
• Host intrusion detection and prevention for anomaly detection and virtual patching.
• Anti-malware detection with contextualized threat intelligence and software reputation service integration.
• Application control for those systems that warrant a deterministic default-deny approach.
Integrating security best practices and controls with an organization’s DevOps methodology (SecDevOps) is the
embodiment of leveraging automation to secure an organization’s hybrid cloud—one that provides both operational
efficiency and greater efficacy. Purpose-built solutions are also required—ones that support both existing infrastructure
and dynamic, software-defined cloud environments. Hybrid cloud security should be viewed as an opportunity for security
to be part of how an organization leverages the agility of the cloud so business can move quickly and safely.
Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides
actionable insight and intelligence to the global IT community.
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.