Enterprise Strategy Group | Getting to the bigger truth.

White Paper

Securing Agility: Best Practices for Harnessing and

Securing Hybrid Clouds

Understanding the Business, Organizational, and Technical

Dimensions of Securing Hybrid Clouds

By Doug Cahill, Senior Analyst

September 2016

This ESG White Paper was commissioned by Trend Micro

and is distributed under license from ESG.

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 2

Contents
Executive Summary ................................................................................................................................................................. 3
The Transformation of the Data Center to a Hybrid Cloud..................................................................................................... 3
Business Agility Is Driving the Journey to the Cloud ........................................................................................................... 3
The Multiple Dimensions of Today’s Hybrid Clouds ........................................................................................................... 4
The Evolving Role of IT ........................................................................................................................................................ 6
Collaborating with Internal Stakeholders ....................................................................................................................... 6
Partnering with External Cloud Service Providers .......................................................................................................... 7
The Technology of Hybrid Clouds ........................................................................................................................................... 7
The Shifting Perimeter in Workload-centric Infrastructures .............................................................................................. 7
The Dynamics of Immutable Infrastructure ........................................................................................................................ 8
Risks and Threats in a Hybrid Context ................................................................................................................................ 9
Best Practices for the Alignment of Hybrid Cloud Security Initiatives .................................................................................... 9
Business Considerations ................................................................................................................................................... 10
Technical Considerations .................................................................................................................................................. 11
Attributes of Purposeful Hybrid Cloud Security Solutions .................................................................................................... 13
Flexible Deployment and Delivery Options with Centralized Control Plane .................................................................... 13
Support for Workload Tags for Policy Assignment and Management.............................................................................. 13
Broad Platform Coverage .................................................................................................................................................. 14
Depth of Functionality for Workload-appropriate Controls ............................................................................................. 14
Proven in Multiple Environments ..................................................................................................................................... 14
The Bigger Truth.................................................................................................................................................................... 14

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 3

Executive Summary
Originally a United States Federal government mandate, “Cloud First” now represents a strategic imperative for many
private and public sector enterprises via which new IT projects are delivered with cloud services. The result? Data assets
are distributed across hybrid clouds, creating the need to unify security controls across disparate infrastructures. With this
cloud initiative comes a new set of methodologies changing how software is developed (e.g., Agile) and infrastructure is
managed (i.e., DevOps). These new disciplines have also created new constituents in the planning, delivery, and
management of these environments—application development (AppDev) and infrastructure management (DevOps). What
is also new is the business model of the cloud; IT-as-a-service is based on a self-service utility approach for the on-demand
provisioning of computing resources metered with consumption-based pricing. And suffice to say that there is confusion
around many of the terms associated with the cloud, obfuscating how to best secure this distributed and abstracted data
center architecture.

Hybrid clouds represent the new normal for data centers, which, in turn, warrants a new security model—one that is
grounded in an understanding about what is different about cloud infrastructure. IT and security professionals are well
aware of the need to retool for this new normal, with 80% of respondents in research conducted by ESG noting that the
security (i.e., policies, processes, technologies, and skills) associated with their on-premises infrastructure and applications
is more mature than that for their organization’s use of public cloud services. 1 Given strong adoption of cloud services, a
strategy for securing hybrid clouds is a must for organizations that currently, or plan to, leverage the benefits of the cloud.
This white paper explores both the business and technical dimensions of hybrid cloud security with an optimistic
perspective of treating the journey to the cloud as an opportunity to improve one’s security posture.

The Transformation of the Data Center to a Hybrid Cloud

Business Agility Is Driving the Journey to the Cloud

Cloud computing truly is a fundamental paradigm shift that is disrupting established markets and challenging established
brands to move faster to maintain competitive advantages. This reality highlights the core value proposition of the cloud,
agility, which is realized in accelerated time to value. “Cloud native” companies, those that operate entirely in the cloud, do
not incur the capital expense or operational overhead of building, provisioning, and managing a data center and, as a
result, can deliver new services to market very quickly. Once organizations are live and in production in the cloud, a second
aspect of agility becomes equally important—automated scaling of application infrastructure, allowing, for example,
eCommerce companies to meet the demands of peak buying seasons, biotech companies to perform computationally
intensive DNA sequencing calculations, content delivery companies to distribute popular entertainment, and more.

In contrast to those companies that have been born in the cloud, more traditional organizations are embarking on a
journey to the cloud, typically by migrating an existing application, or deploying a new one to the cloud, while others start
by utilizing the cloud as a storage target, including for disaster recovery. As organizations compare time to deployment of
an on-premises application inclusive of RFIs, data center build outs, and so on, with the near “instant-on” availability of
cloud services, many choose to deploy more application workloads in and move data sets to the cloud, often fluidly for
scale and resource optimization. At the same time, legacy applications, and especially sensitive corporate data assets, may
remain on-premises with the resulting two types of infrastructures representing a hybrid cloud.

The cloud also offers financial agility with respect to the utility-based services model whereby businesses pay for what they
use. Prior attempts by IT to implement a similar model via chargeback accounting failed largely due to the lack of true on-

1 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 4

demand utility services to correlate to utility pricing. Cloud computing makes this financial model not only possible, but
also a business driver for moving to the cloud.

The Multiple Dimensions of Today’s Hybrid Clouds

But what is a hybrid cloud? One could argue that as soon as any element of a company’s computing environment is cloud-
resident, they are operating in a hybrid context. Such a scenario represents the simplistic end of the spectrum, with the
other end characterized by multiple disparate infrastructures. In either case, a set of working definitions and an illustrative
graphic (see Figure 1) is in order.

Figure 1. Hybrid Cloud Computing Environment

Source: Enterprise Strategy Group, 2016

Most would agree that public cloud services can be defined as software-as-a-service (SaaS), infrastructure-as-a-service
(IaaS), and platform-as-a-service (PaaS) offerings that are hosted and managed by a third party, usually in a multi-tenant
environment and made available on-demand via a self-service interface with granular subscription-based pricing. However,
the definition of a private cloud is less clear, with some citing a virtualized server environment and others pointing to a
customer managed self-service model for on-demand compute and storage. Participants in ESG research indicated not
only that they are currently using private clouds, with 48% stating they are already doing this extensively, but also that

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 5

private clouds are becoming heterogeneous, with 34% noting that they have deployed two or more types of private clouds,
including OpenStack, VMware vCloud, and others. 2

Public cloud consumption is also becoming more heterogeneous, with customers increasingly choosing best-of-breed
public cloud providers. For example, for a web application, an organization may choose a CSP that also offers a native
content delivery network (CDN). The same company may also choose another public cloud provider for computationally
intensive applications such as analytics. And, of course, most companies seek pricing leverage by employing a multi-vendor
strategy for technology procurement. This trend toward multi-clouds is reflected in ESG research in which 47% of
respondents reported that they are already migrating workloads to two or more public cloud service providers either
somewhat or extensively (see Figure 2).

Figure 2. Organizations’ Plans for Cloud Computing Activities

Please indicate if your organization is doing or plans to do any of the following activities with
regards to cloud computing. (Percent of respondents, N=303)
Already doing this extensively
Already doing this somewhat
Already testing this
Planning to do this over the next 24 months

Deploying an internal private cloud 49% 47% 2%1%

2%
Using converged or hyper-converged infrastructure
40% 26% 14% 1%
3%
13% 3%
solutions
Using a self-service portal for workload provisioning,
38% 31% 16% 1%
1%
9% 4%
configuration management, change management, etc.
Deploying 2 or more different types of private clouds 34% 29% 16% 13% 4%4%
Using tools to automate configuration management for your
33% 31% 17% 11% 5%4%
organization’s cloud infrastructure
Migrating and/or developing applications/workloads to 2 or
25% 22% 29% 1%
14% 5%4%
more different public cloud service providers
Migrating legacy applications/workloads to a public cloud 25% 20% 29% 1%
15% 5%4%

Developing new applications/workloads in a public cloud 23% 24% 29% 1%

15% 3%4%
Using a heterogeneous combination of public and private
23% 21% 32% 1%
16% 3%4%
cloud infrastructures simultaneously
0% 20% 40% 60% 80% 100%

Source: Enterprise Strategy Group, 2016

The choice of private, public, virtualized, and bare metal server environments provides customers the ability to arbitrate
the location of both application workloads and data sets: The web tier may be in the cloud, but the database is on-
premises, with the archive of that database replicated to cloud storage. Given the adoption dynamics of private and public
clouds, along with the fact that some elements of an application stack will remain on-premises, hybrid clouds are becoming
increasingly multidimensional, requiring organizations to retool how they secure their IT assets. While optionality is desired

2Source: ESG Custom Research, Cloud Security Challenges Survey, January 2016. All ESG research references and charts in this white paper have
been taken from this custom research survey unless otherwise noted.

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 6

for infrastructure, unification and consistency are paramount to secure it. Participants in research conducted by ESG agree,
with maintaining strong and consistent security across disparate cloud computing technologies and services being the
most-cited cloud security challenge (see Figure 3). 3

Figure 3. Top Five Cloud Security Challenges

Which of the following represent the biggest cloud security challenges at your organization?
(Percent of respondents, N=302, three responses accepted)

Maintaining strong and consistent security across disparate

35%
cloud computing technologies and services

Supporting cloud computing and on-premises IT

infrastructure and applications with consistent policies, 34%
controls, and oversight

Our end-users and business managers are signing up for

cloud applications without the approval and governance of
33%
our IT departments creating concerns for data loss and
protection

Keeping up with the rapid and temporal nature of cloud

computing (i.e., rapid deployment, self-service, spin up/spin 31%
down, etc.)

Monitoring and/or blocking the use of non-sanctioned

29%
shadow IT applications

Source: Enterprise Strategy Group, 2016

The Evolving Role of IT

The transition to hybrid clouds also represents an evolution in the role of information technology from a cost center to a
service center. The abstraction of compute services from underlying physical infrastructure allows organizations to focus
more on their core business with respect to the applications that support and drive the business versus the traditional
“rack and stack” work of traditional data centers. As such, hybrid clouds and the IT-as-a-service business model change
how IT collaborates with internal stakeholders and engages with external services providers.

Collaborating with Internal Stakeholders

The advent of shadow IT—whereby applications, as well as infrastructure, are used by business units without the
involvement or oversight of IT—is a reality for nearly all organizations. Shadow IT creates visibility gaps void of security
controls, creating a risk of data loss and new attack vectors. The self-service model of SaaS, IaaS, and PaaS creates a level of
empowerment in the lines of business, requiring IT to adopt an “embrace and enable” approach to the fundamental
business requirement of greater agility.

3 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 7

Cloud computing moves at a notably faster pace, the speed of DevOps. In the context of established IT processes
characterized by approvals and authorizations to the provisioning of new IT services, it can seem irresponsible to move at
the speed of the cloud, but this too is part of the new normal. ESG research reflects this concern, with 31% of respondents
citing that keeping up with the rapid and temporal nature of cloud computing is one of their organization’s biggest cloud
security challenges (see Figure 3). 4 However, a DevOps approach of continuous development (Agile), integration, testing,
delivery, and monitoring is not intended to disenfranchise IT, but rather to codify agility. For alignment, business unit and
IT leaders should establish cross-functional teams to both plan and synchronize the longer-term strategic initiatives as well
as the more tactical projects, typically in the form of agile sprints with daily scrums.

Partnering with External Cloud Service Providers

Core to successfully partnering with external cloud services providers (CSPs) is a clear understanding of the shared
responsibility security model that prescribes the division of responsibility for securing the stack. In any shared responsibility
model, whether it’s for SaaS, IaaS, or PaaS, the customer is responsible for their data, with many CSPs offering native data
security controls—most notable is encryption. For infrastructure-as-a-service, the customer is also responsible for securing
the workload, inclusive of the operating system and application (i.e., above the hypervisor).

While CSPs will likely be compliant with a wide variety of industry regulations, the scope of these certifications is related to
those portions of the stack for which they are responsible. For example, as a service provider, CSPs will typically provide
SOC 2 and 3 reports demonstrating compliance with SSAE 16 standards. Customers, in turn, will need to take charge of
attaining and maintaining compliance with industry regulations, which includes eCommerce vendors needing to attain and
maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) and health care organizations
signing Business Associate Agreements for compliance with the Health Insurance Portability Accountability Act (HIPAA).
Organizations operating in the European Union will also need to consider the applicability of the General Data Protection
Regulation (GDPR) to their use of the cloud.

In short, customers cannot abdicate either security or regulatory compliance to their cloud service provider and need to
partner with their provider on a clear delineation of responsibility.

The Technology of Hybrid Clouds

While virtualized workloads are the primary working unit of a hybrid cloud, there are a few important differences to be
considered when developing security plans and processes.

The Shifting Perimeter in Workload-centric Infrastructures

The fluidity of hybrid clouds, in which workloads are temporal and migratory and data sets are moved automatically based
on policy, is shifting the network perimeter, pushing network security controls to the edge, and creating visibility gaps.
Collections of workloads in an application stack may span clouds and thus create their own perimeters. Unless an
organization is cloud-native with no on-premises infrastructure, security controls will need to span public cloud, on-
premises, and perhaps co-location environments. The visibility gap in hybrid clouds is in two dimensions—the CSP manages
the hypervisor and below as well as transient instances in auto-scaling groups that often have a short half-life. In this
context, the workload is the autonomous computing element that requires a workload-centric orientation, including:

• Intra-workload system activity and integrity monitoring.

• Inter-workload interaction based on network traffic.

4 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016.

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 8

ESG research indicates that organizations have experienced a variety of workload-related challenges when it comes to
monitoring cloud infrastructure (see Figure 4).

Figure 4. Challenges Monitoring the Security of Applications, Workloads, and Data on Cloud Infrastructure
Which of the following challenges has your organization experienced with regard to
monitoring the security of applications, workloads, and data residing on cloud
infrastructure? (Percent of respondents, N=298, three responses accepted)
Various IT and/or business units have adopted cloud
computing over the past few years so the security team is 38%
now catching up on security monitoring
Cloud security monitoring requires greater scalability for
36%
security data capture, process, and analysis
Each cloud infrastructure technology is distinct so we can’t
always get consistent security monitoring across diverse 31%
cloud infrastructure
My organization has a limited number of cybersecurity
personnel, so cloud security monitoring has placed an 30%
additional burden on the existing team
Monitoring cloud can require lots of work for connecting
29%
security monitoring tools to cloud platforms via APIs
My organization’s cybersecurity team does not have
adequate cloud security monitoring skills in place today so 28%
we are learning as we go
Cloud security introduces “blind spots” where we don’t
28%
have adequate visibility for security monitoring

Traditional monitoring tools are not always effective for

26%
cloud security monitoring

We have not experienced any challenges 4%

Source: Enterprise Strategy Group, 2016

And while Linux is often the default operating system in the public cloud portion of a hybrid cloud, Windows-based
workloads to support preexisting apps such as SharePoint create a heterogeneous workload operating system footprint.

The Dynamics of Immutable Infrastructure

There is a paradox at play with cloud computing: Dynamic environments that provide auto-scaling to meet the load
requirement of an application have immutable elements—via automation, once a workload is instantiated, it is never
changed in production but rather replaced with a new configuration. Such an approach is antithetical to how production
servers have historically been managed, with a cadence of patching and other configuration modifications and
optimizations, sometimes with necessary downtime. Such a time-intensive, manual approach leads to inconsistent
configurations and thus unpatched vulnerabilities. With the rate at which new server instances are provisioned and de-
provisioned in the cloud, closing vulnerability gaps is only possible via automation and best practices, such as virtual
patching and blue-green deployments. Blue-green deployments are the embodiment of immutable infrastructure via

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 9

which a new fleet of workloads based on an updated configuration can be deployed from test into production, making the
prior set entirely disposable.

Risks and Threats in a Hybrid Context

The above technical characteristics of infrastructure-as-a-service (IaaS) and the fact that these software-defined
environments are API-driven create a new set of risks and threats that are variations of existing issues:

• Inconsistent controls and policies: The use of different tools by different personnel to secure different portions of
a hybrid cloud will likely lead to inconsistent configurations and policies from IDS and firewall rules to integrity
monitoring settings, creating vulnerabilities adversaries will seek to exploit. Developing expertise in and managing
the infrastructure for multiple solutions also creates greater operational overhead.

• Replicated attack surface area: Workloads containing vulnerable software and configurations that are replicated
via an auto-scaling group effectively replicate the attack surface area.

• Invisible use of stolen API credentials: The insecure and malicious use of API keys can go undetected by traditional
security controls, resulting in not only data loss, but also potentially the use of that footprint for nefarious
purposes, and even the loss of an organization’s cloud footprint.

• Inadvertent externally facing workloads: The provisioning of workloads without policy and controls, specifically
host-based firewalls, can result in externally facing IPs that will nearly instantly be subject to port scanning by bad
actors. Although this has been a risk largely associated with public cloud IaaS, in a software-defined data center
where the workloads in a private cloud can be API-driven, they may also be improperly configured by a dev or test
team creating an entry point, which exposes the rest of the infrastructure.

• Insecure automation servers: Compromising automation servers, which hold the blueprints for server
configurations, can result in the introduction of backdoors and more.

• Jump hosts that can cut both ways: Intended to shield workloads from attack methods, such as port scanning, by
not being externally facing, compromised jump hosts can also offer one-to-many access for hackers.

• Lack of auto-assignment of policy: Security products that do not support workload tags will not then support the
auto-assignment of policies to protect new workloads upon instantiation.

As is the case with traditional data centers, a set of best practices put into action with purpose-built solutions can
effectively address these and other risks associated with hybrid clouds.

Best Practices for the Alignment of Hybrid Cloud Security Initiatives

Many best practices still apply, but need to be implemented while keeping what makes clouds different in mind and
leveraging purpose-built technology. While many organizations will start by using existing processes and technologies to
secure their cloud infrastructure, 74% of participants in ESG research indicated they had to abandon such use (see Figure
5).

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 10

Figure 5. Abandonment of Traditional Security Policies and Technologies for Cloud Security
Has your organization had to abandon its use of any traditional security policies or
technologies because it couldn’t be used effectively for cloud security? (Percent of
respondents, N=303)

No, but we are having

No, 14% Yes, we’ve abandoned
sufficient problems
that may lead us to many traditional
abandon one or security policies or
several traditional technologies because
security policies or they couldn’t be used
technologies because effectively for cloud
they couldn’t be used security, 32%
effectively for cloud
security, 13%

Yes, we’ve abandoned

some traditional
security policies or
technologies because
they couldn’t be used
effectively for cloud
security, 42%

Source: Enterprise Strategy Group, 2016

The central themes of the following best practices are organizational alignment and consistency across the workloads that
comprise a hybrid cloud. Some retooling may be required across skill development, tools, and processes. As such, it is
important to consider business-related best practices as enablers to implementing technical best practices.

Business Considerations
The noted differences in the IT-as-a-service business model warrant considering a few organizational and business-related
best practices.

• Embrace cloud security as a team sport. Agile software development, shadow IT, and DevOps have resulted in a
new set of seats at the table for the planning, procurement, and securing of hybrid clouds, with the AppDev
teams typically representing the lines of business. While security professionals tend to be cautious by nature and
methodical in their approach, those with an AppDev and DevOps orientation may seem cavalier. IT leadership
that embraces cloud security as a team sport will facilitate bringing a DevOps approach to the on-premises
infrastructure for greater agility and security best practices to the cloud for asset protection. Doing so rightfully
validates the importance of each to help the organization move quickly but safely.

• Communicate with full transparency. As noted above, there are new internal stakeholders involved in securing
hybrid clouds with external stakeholders, including business partners—suppliers, channels, contractors, and
more. Team members charged with implementation should agree on a set of goals and objectives, so success
criteria are clear. More specifically, cross-functional teams will want to convey how the transition of resources
(i.e., applications, data sets, and security controls) will affect business units. This inventory of assets should
include a risk assessment to identify the most mission-critical applications and sensitive data sets.
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.
 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 11

• Align on the economics. Organizations should seek solutions that allow them to pay for security as they do for the
infrastructure being protected, as a way to align cost with the value realized. Doing so will depend, in part, on
where the respective workload resides. Examples of such models include:

 Metered. This consumption-based model is applicable for securing auto-scaling environments in which
server workload instances may only exist for a few hours, in that both the workload and security controls
are metered per hour.

 Reserved instances/per server. For on-premises data centers, the number of servers is often known and
serves a natural way to purchase security, on a perpetual or yearly basis. In the cloud, some organizations
will reserve instances for pricing advantages. Security controls should also support per annum models so
that, again, the entity being secured is priced in the same way as the security control to protect it.

 Per CPU. For on-premises data centers, many organizations, including those operating IT-as-a-service, will
prefer a CPU-based pricing model.

Technical Considerations

• Segment environments, duties, and access with least privilege. The best practice of granting only the least amount
of privileges required for an individual to get her job done should be applied in multiple dimensions in a hybrid
cloud environment.

 Segment dev, test, and prod environments. Developers creating a dev environment are unlikely to apply
security controls. As such, their environment, as well the test environment, should be segmented off from
production.

 By storage and compute. Further segmenting by storage and compute protects data assets.

 By role. Segmentation of duties by role is essential for preventing the unauthorized or accidental use of
high-privileged credentials to access key assets. Doing so protects against both stolen credentials and the
insider threat.

 API Keys. While API keys should be used for resource access and provisioning, so too should least privilege
be applied for those keys that allow access to the most sensitive portions of the hybrid cloud.

• Mind the visibility gap. The security truism that “you can’t secure what don’t you have” is especially true in cloud
environments where workloads are transient and the CSP manages from the “hypervisor down.” Visibility in this
context has two dimensions:

 Inventory of assets. An inventory should include both on-premises and cloud-resident assets, including key
control points, both physical (network-based egress security controls) and logical (API keys and cloud
accounts). Asset management software, employing a configuration management database (CMDB), and
especially solutions that auto-discover newly provisioned workloads provide this aspect of visibility.

 Continuous monitoring. Activity around inventoried resources should be monitored continuously, including
the use of API keys via logging and the provisioning of new workloads that could represent an insecure
amount of sprawl. Workload monitoring should include system activity (intra) and network (inter).

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 12

• Extend the security model with workload-appropriate controls. As noted above, hybrid clouds are characterized by
shifting perimeters and thus require a workload-centric security model. Network controls are still essential, of
course, but as temporal workloads come and go, and others migrate to the cloud for scale, a location-agnostic
approach to augment those network controls is required. Server tags are core to this model so that policy by
workload type can be applied. In addition to applying consistent firewall rules and monitoring for changes to
those rules, employing anomaly-based intrusion detection is highly appropriate within auto-scaling groups in
which there should be no drift from standard configurations and behaviors. Deviations that could be indicative of
a compromise include:

 New processes and forked child processes via a tree view.

 File system changes, specifically those containing critical files and sensitive data.

 Logins outside the norm (e.g., during odd times or from strange locations).

 Network traffic to remote IPs (i.e., not the jump host).

 Correlation between processes and network traffic (e.g., Why would the Apache web server process
communicate with an IP in Eastern Europe?).

Organizations should also consider application controls for fixed function workloads such as automation servers
and bastion hosts to augment the visibility provided with continuous monitoring.

• Automate via SecDevOps. Automation via continuous integration, testing, development, and monitoring is the
conveyor belt workflow at the core of DevOps. This level of automation should be applied to security for the same
operational benefits and to ensure that security controls are bolted in, not bolted on—thus representing a
SecDevOps methodology. Related best practices include:

 Auto-assignment of policy-based security controls. Based on tags that denote the role of the workload,
security controls should be automatically included in the configuration of all new workloads so that each is
protected from the time of instantiation, both in the data center and in the cloud.

 Automated vulnerability scanning in the test environment. Scanning for vulnerabilities in test environments
identifies issues before apps get deployed to production so workload configurations can be updated to
ensure that only the latest releases of the software stack are deployed in production.

 Virtual patching. Monitoring for the behavior of an exploit in production helps close the vulnerability gap
until new workloads can be provisioned as part of an immutable infrastructure, or until workloads can be
patched in the data center.

 Automated penetration testing. Conducting port scanning and other testing will help verify that patches
have been applied and firewall rules are current.

• Employ purpose-built security solutions that extend native controls. A “better together” strategy with respect to
the use of security technologies should be employed. Native controls such as host firewalls, encryption, and
identity and access management (IAM) provide a strong foundational baseline. The more multidimensional the
hybrid cloud, the more critical unified controls are to ensure consistency across disparate infrastructures. An
example of such an approach is the use of multi-factor authentication (MFA) for access to critical resources and

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 13

continuous monitoring to detect anomalous login attempts—a “trust but verify” practice that will require native
and best-of-breed third-party controls.

Attributes of Purposeful Hybrid Cloud Security Solutions

As noted above, many organizations abandon the use of traditional security solutions to protect their use of the cloud.
Participants in ESG research noted a set of breadth and depth attributes required to secure their cloud environments (see
Figure 6).

Figure 6. Most Desired Attribute When It Comes to Securing Cloud Infrastructure

What is your organization’s most desired security attribute when it comes to securing cloud
infrastructure? (Percent of respondents, N=303)
Stateful (i.e., security
policies maintain
Automation, 3% Extensibility (i.e., ability
consistent, even as they
to extend across both
move throughout the IT
heterogeneous
environment), 7%
infrastructure), 22%
Deep visibility (i.e., at
application or workload
layer), 8%
Pervasiveness (i.e.,
exists throughout entire
IT environment - from
public to on-premises),
8% Scalability (i.e., ability to
scale up or down
appropriately with cloud
Manageability, 10% resources), 21%

Infrastructure-agnostic
(i.e., independent of the
underlying IT
infrastructure), 20%

Source: Enterprise Strategy Group, 2016

With this context, the functional requirements, and other attributes, of a purposeful hybrid cloud security solution can be
expressed in the following dimensions.

Flexible Deployment and Delivery Options with Centralized Control Plane

Customers will want flexibility in deploying the management server and control plane either on-premises or in the cloud,
with cloud-delivered options including both customer-managed and software-as-a-service (SaaS) options. In all cases, the
implementation should span the hybrid environments by providing centralized control to both assign policies, and view and
report on status.

Support for Workload Tags for Policy Assignment and Management

Support for workload tags for the aforementioned auto-assigned policy best practices is a core naming convention
essential in dynamic cloud environments. Solutions should also provide sample scripts for integration with leading
automation engines (Chef, Puppet, etc.) and should include out-of-the-box rules by workload type (at the OS and

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

 White Paper: Securing Agility: Best Practices for Harnessing and Securing Hybrid Clouds 14

application level) to streamline policy assignment. In addition to the use of tags for policy assignment, the management
console should also allow for the ability to manage by tag (i.e., view reports, events, and alerts). The use of tags should also
extend to role-based access control (RBAC) for a least privilege approach to setting policy and monitoring status.

Broad Platform Coverage

The journey to the cloud that results in the need to secure a hybrid cloud will produce an environment composed of old
and new. A purpose-built hybrid cloud security offering needs to support a broad range of operating systems to eliminate
the need for multiple products, including Microsoft Windows; a wide variety of Linux distributions; Unix for legacy
applications; and top hypervisors for on-premises workloads.

Depth of Functionality for Workload-appropriate Controls

Some of the requisite functional capabilities for a hybrid cloud security solution include:

• System integrity monitoring across multiple aspects of system activity, including processes, file system, logins, and
netflow.

• Host intrusion detection and prevention for anomaly detection and virtual patching.

• Anti-malware detection with contextualized threat intelligence and software reputation service integration.

• Application control for those systems that warrant a deterministic default-deny approach.

• Firewall management for consistency of policy.

Proven in Multiple Environments

An organization’s hybrid cloud environment is likely to change with respect to the mix between its cloud and on-premises
workload sets. Customers should seek solutions that not only meet the above requirements, but are also proven to
operate across disparate environments at scale, with operational efficiency and a high level of efficacy.

The Bigger Truth

Hybrid clouds of multiple dimensions are the new normal of the data center, where many new IT projects are governed by
a cloud-first imperative. The resulting complexity of securing disparate infrastructure pieces requires an understanding,
and an enthusiastic acceptance, of the technical and business aspects that make these environments different. This change
is an opportunity to treat security more proactively across the technical, business, and organizational aspects of a hybrid
cloud environment.

Integrating security best practices and controls with an organization’s DevOps methodology (SecDevOps) is the
embodiment of leveraging automation to secure an organization’s hybrid cloud—one that provides both operational
efficiency and greater efficacy. Purpose-built solutions are also required—ones that support both existing infrastructure
and dynamic, software-defined cloud environments. Hybrid cloud security should be viewed as an opportunity for security
to be part of how an organization leverages the agility of the cloud so business can move quickly and safely.

© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The
Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject
to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this
publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express
consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable,
criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides
actionable insight and intelligence to the global IT community.
© 2016 by The Enterprise Strategy Group, Inc. All Rights Reserved.

www.esg-global.com © 2016 by The Enterprisecontact@esg-global.com

Strategy Group, Inc. All Rights Reserved. P. 508.482.0188