AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type
Posts

On-premise or in the cloud? Where’s the best place for your applications

by

In my previous post, we looked at three trends which demonstrate that, despite the general industry expectation that organizations would eventually run ‘cloud only’ IT infrastructures, the hybrid cloud environment is here to stay.

This means that organizations will need to continue to maintain and manage robust security consistently across both their on-premise and cloud infrastructures.  So how should organizations approach this task?

Network segmentation matters

The starting point is deciding whether the security and compliance requirements for a given business application are better served in the cloud, or in an on-premise environment.  Your existing network segmentation scheme will provide useful initial guidance on this.If network segmentation is set up and managed correctly, the servers and applications that reside in the least segregated zones on your network may well be suitable for migration to the cloud.

In contrast, applications and servers in zones which are highly protected and reside behind multiple firewalls should remain in your own on-premise data center, so that they can be robustly secured.

Appraising your applications

Following an assessment of your network segmentation strategy, you should then review the functions that your business applications are actually performing, and the data that they process, to help determine whether they should be deployed on-premise or if they can be migrated to the cloud.  There are three main areas that should be reviewed:

  • Is it legal? Business applications that hold sensitive data, such as personal identifiable information for customers, are more suited for on-premise deployments.  In most instances there are data privacy laws that govern where data can be stored when the information is collected, processed or communicated.   Over 80 countries and independent territories have adopted comprehensive data protection laws, so it is essential to check and verify what data the application processes, and what is allowed from a legal perspective before moving it to a cloud environment.
  • Is it subject to regulatory compliance? If the application, or the data it processes, is subject to regulatory oversight under compliance regimes such as HIPAA or PCI, then there is a clear need to understand the security compliance status of that application, and if moving it to the cloud will risk a compliance violation.  For example, HIPAA requires accountability practices on all LANs, WANs, and access via VPNs.   If the application needs to be compliant with PCI, you will need to have a firewall at each Internet connection the application uses, and between any network demilitarized zone and the internal network zone.  Applications that are subject to this regulation, are typically not ideal candidates for migration to the cloud.
  • Is it already on the net?: If there are already parts of the application that are exposed to the internet, such as a web server, the application may well be suitable for migration to the cloud. These applications should already have strong security implemented, and when moving the application to the cloud, this will ensure that the security of both the server and internal network is maintained.

Bringing clarity to your hybrid environment

As hybrid cloud environments will be here for the foreseeable future, the complexity of ensuring that security is maintained throughout and following the application migration will remain challenging.  However, by identifying from the outset which applications are best suited for cloud deployments, and which should remain on-premise, you will be able to bring more clarity to your cloud security strategies – and improve your security posture in the process.

Subscribe to Blog

Receive notifications of new posts by email.