Interest in hybrid cloud computing is high. By next year, industry watchers expect 90% of organizations will use a mix of public and private cloud technologies. But there’s far less certainty around how to provide reliable security in such a scenario.
The issue was apparent in results from the 2018 Enterprise Cloud Index survey of 2,300 IT decision makers around the globe, conducted for Nutanix by VansonBourne. Many companies indicated plans to double or even triple their hybrid cloud deployments within the next two years. But when asked about the benefits of hybrid cloud computing, only 5.4% of respondents selected, “I can choose the best security and compliance model for my data.”
Respondents are bullish on hybrid cloud computing nonetheless, with 91% calling it the “ideal IT model for organizations” and 87% saying it is having a positive impact on their businesses. No doubt that’s a nod to the ease with which companies can turn up and scale cloud environments, and the pay-as-you-go models that provide great IT flexibility.
If that positive impact is to continue, companies will have to get a handle on how best to secure their hybrid cloud environments.
Part of the problem is that once data is in the cloud, companies don’t have a lot of control over where it’s physically located, said Rajiv Mirani, CTO for cloud platforms at Nutanix.
“Where is data getting backed up and replicated? Who can look at it? Can someone in a different country look at it?” he asked. “Companies often don’t have enough controls to meet compliance objectives.”
Another challenge to hybrid cloud security is that each cloud environment is different, Mirani noted.
“There’s a high cost to learning how to secure everything in each environment,” he said.
What’s more, the attack surface area for cloud providers is much larger than for a single company with an on-premises data center — which is exactly what attackers want.
“While your company might not be a target for hackers, Amazon for sure is,” he said.
3 Key Requirements
Addressing these challenges isn’t an insurmountable problem, but it does require companies to put thought into how their existing security strategies can be extended to include hybrid cloud environments. In some cases, it may also require new tools to aid in that effort. Mirani points to three key attributes to an effective strategy: comprehensive security, policies and processes, and always-on protection.
Comprehensive Security -- Any security plan has to address the network, endpoints and data. For the network, that includes protecting data in motion over the wide-area as well as data flowing between virtual machines inside a data center, a gap that typical perimeter security solutions won’t likely address. Endpoint security should include an agentless architecture that’s simple for both end users and IT, but protects against viruses, malware and intrusions. Data should be protected according to consistent policies to ensure compliance, with a centralized encryption key management solution to ease administration.
Sound Policies and Processes -- Security policies and procedures developed over the years shouldn’t be abandoned in a hybrid cloud environment. Rather, they should be extended to include and apply to the cloud elements. Customers share much of the responsibility for the security of their cloud workloads with their cloud provider. Companies should make sure that’s accomplished according to their established rules.
Always-On Protection -- One way to accomplish that is by using tools that can deal with data located both on-premises and with different cloud providers. Nutanix Beam, for example, provides insights into cloud compliance and security vulnerabilities in real-time, allowing IT managers to resolve potential threats before becoming business challenges.
“Traditionally, companies do periodic audits of basic things like ensuring default passwords are changed,” Mirani said. “That covers the time of the audit, but things tend to drift. With Nutanix Beam, if something deviates it alerts immediately.”
That kind of automation should apply not only in responding to security events but to applying security policy in the first place.
“The only way security really works is with a small set of policies applied centrally and then spread everywhere,” Mirani said.
Nutanix Calm, for example, is an application automation and lifecycle management platform that enables companies to create security rules when an application is initially developed, then ensures they are applied every time the application is deployed.
“Once you figure out the best way to secure an application, every time someone creates a new instance of the app, the security policies come along with it,” Mirani said. “It’s a cookie cutter approach that’s important to ensuring security is simple but effective.”
It may be apparent that none of these attributes are necessarily specific to hybrid cloud environments. They apply equally well to strictly on-premises IT infrastructure, which is the point. Mirani said it’s best to think of hybrid cloud as an extension of the company’s premises-based IT infrastructure, and secure accordingly.
Paul Desmond is a contributing writer. He is co-founder and principal of Saratoga B2B group and formerly an editor at IDG’s Network World, Redmond magazine and Redmond Channel Partner magazine.
Photo by LinkedIn Sales Navigator from Pexels.
© 2019 Nutanix, Inc. All rights reserved. For additional legal information, please go here.