This situation may sound familiar – your CEO, CIO, or another executive outside of the security organization summons you to a meeting. “We have decided to move [Enter unreasonable number here] of our business applications to the public cloud by [Enter impossible timeframe here] he announces. “And don’t tell us that security is an issue in the cloud – [Enter name of high-profile competitor here] has already saved millions of dollars by moving to the cloud – so do what you need to do make sure we are secure”.
Having secured network access in your data center for years using a mix of firewalls, IPSs, proxies and other related devices from well-established vendors, you may naturally gravitate towards a similar architecture for the public cloud. But after some digging, you discover network security in the cloud is in its infancy and often confusing. In our recent survey, we discovered that only a third of respondents who are currently deploying or planning to deploy applications in the public cloud are using commercial firewalls for network access. And a full third of respondents with concrete public cloud plans do not know which network security controls they are going to use!
On the one hand most organizations will deploy a good chunk of their business applications on a public IaaS platform in the foreseeable future, but on the other-hand, for nearly all organizations, the on-premise data center is not going away anytime soon. So the question you should ask yourself is not “how do I secure the public cloud?” but rather “how do I ensure security across my hybrid environment?”
Here are a few tips to help you plan your security policy management across a hybrid environment.
1. Select the right security controls
There are three basic methods to secure network access on public clouds:
Commercial firewalls: Commercial-grade firewalls for the public cloud do exist, but the level of support and functionality varies greatly between vendors. Their benefits include unified management with on-premise firewalls as well as familiarity with how policies are defined and enforced. Cons include cost, scalability and a limited feature-set for some vendors.
Cloud provided controls: Cloud providers usually provide their own security controls (e.g. Amazon Security Groups). These controls are generally free (definitely a pro!), and provide a good level of functionality. However, in many cases they lack enterprise-grade management and do not work across different cloud providers since every provider’s controls are different.
Host-based Firewalls: Since public IaaS is basically about spinning up compute instances you can leverage host based firewalls to control network access (e.g. IPTables). This is a good cross-cloud solution, but cons include management overhead and a limited feature set.
There is no right answer when it comes to selecting network security controls in the cloud, and our survey underscores the fact that the network security controls landscape in the cloud is highly fragmented. And to make matters even more complex, it changes at a fast pace. Make sure you carefully evaluate the options and choose the security controls that best suit your business needs.
2. Get Visibility Across the Entire Environment
Regardless of which security controls you choose, visibility across your hybrid environment is key to a successful migration and deployment. Yet as our survey found, visibility is severely lacking, and without visibility you’re basically driving blind. Make sure you select controls that work with a policy management platform that provides visibility across the entire hybrid environment.
3. Improve Processes with Security Automation
Hand in hand with visibility is security automation. Automation is the key to effectively migrating to and managing a hybrid environment – especially since you will be expected to manage security at the “speed of cloud”. When you’re trying to manage hundreds or even thousands of policy rules, automation is the only way. It’s no surprise that security change management fails because teams, often working in silos, use manual, time-consuming processes. So learn where your process breakdowns occur and use automation to address the problem and manage your environment. You’ll not only help reduce business outages and speed up application deployments in the cloud, but you’ll also get all the teams working together, harmoniously for the benefit of business agility.
4. Place Ownership of Security in the Right Hands
While allowing the different teams to work together using automation tools is critical to the success of your hybrid cloud environment, it’s also important to select the right team to lead your security effort. Our survey found that large and small companies struggled to assign responsibility for security in hybrid cloud environments. Should it be handled by the Information Security team (most common for larger organizations) or IT operations (most common for smaller organizations)? Or should the responsibility fall on platform providers? Make sure to align IT and information security roles and responsibilities for security management processes that work for your organization.
These are just a few suggestions to help you ensure security as you plan your move to a hybrid cloud environment. While it may all seem rather daunting, like many new initiatives it basically boils down to selecting the right tools, processes, and people to get the job done. Hopefully these suggestions will point you in the right direction.
Receive notifications of new posts by email.