SDN Journal Authors: Pat Romanski, Destiny Bertucci, Liz McMillan, Elizabeth White, Amitabh Sinha

Related Topics: @CloudExpo, Microservices Expo, Agile Computing, Cloud Security, @DXWorldExpo, SDN Journal

@CloudExpo: Article

Migrating On-Premise Controls to the Cloud

In the hybrid cloud, it's all about speed and flexibility

The scale and automation of cloud computing deliver economies of scale - and price points - that can't be matched by traditional computing platforms. Managers can minimize capital expenses and align operational costs to business demands with scalable, flexible resource deployments. Those same factors enable innovation through rapid prototyping and testing of complex systems that aren't feasible - or affordable - with established approaches. It's little wonder the cloud has emerged as the first choice of infrastructure for many IT managers and practitioners.

Security and compliance play just as critical a role in the hybrid cloud as they do in more conventional environments. So it's unfortunate that as organizations move operations to the cloud they tend to mirror the protection efforts they employ with their physical, on-premise systems. It's a mistake because in many cases existing controls don't migrate well to the cloud. As a result, they fail to provide the requisite protection and diminish - or even eliminate - anticipated cost and operational benefits of cloud computing.

The speed and flexibility afforded by cloud computing impact all aspects of IT. And, as with other disciplines, the very attributes responsible for the attractiveness of the cloud lead directly to the potential for failure. From a security and compliance perspective, trying to migrate existing on-premise controls and technologies directly to the cloud presents two distinct risks.

We'll look at specific examples, but a general concern with existing security controls is their inability to keep pace - and maintain protections - in the face of rapidly changing cloud-based environments. That limitation leads directly to unprotected systems, presenting unacceptable risks of loss, compromise, and compliance/audit failures. The alternative to this is to slow deployments in an effort to enable existing security controls to stay ahead of the environment. Since this additional operational friction risks eliminating most or all of the benefits of the cloud, it's equally unacceptable.

Let's look at some specific examples to see how the effort to move existing controls to the cloud can adversely impact security, and how those controls might change to ensure comprehensive, effective protection in the cloud.

Encryption of data, at rest or in transit, is a recognized best practice for ensuring confidentially and integrity of systems, and is mandated by a mix of contractual, audit, and regulatory compliance requirements. Most organizations rely on specialized hardware security modules, or HSMs, to perform these computationally intensive cryptographic functions and to protect the cryptographic keys used in the process. HSMs are appliances providing the specialized processors and algorithms needed to accelerate cryptographic functions like generating keys, encrypting data, and creating message authentication codes.

Identical requirements exist within the cloud - and HSMs remain the optimal solution to get the job done. The sticking point here is the migration of workloads to the cloud introduces unacceptable delays in interactions between processing systems and the HSM. Since HSMs are typically installed in a data center, requests from cloud-based applications must traverse the network, adding friction and delay.

Since the delay in interactions is the primary sticking point, this scenario is one where simply migrating the control to the cloud solves the problem. That's precisely what Amazon Web Services has done with their recently announced AWS CloudHSM offering. Powered by high-performance SafeNet HSM technology, the ready availability of an HSM within the cloud enables security teams to manage cryptographic functions with the required level of performance, and the additional assurance needed for the most sensitive data.

Endpoint Protection
Attempts to migrate traditional, agent-based approaches to endpoint protection haven't generally translated well, as a consequence of the dynamic nature of the cloud. Conventional endpoint protection technologies rely heavily on robust threat signature databases and policy definitions. These - particularly threat signatures - change rapidly, many times a day. Following an initial install and configuration, conventional systems simply maintain the currency of the database with frequent downloads and updates.

But that doesn't work with virtual and cloud-based systems, where standardized system images are spun up as needed. At the time they're started, a given system image may be days or weeks old. Whatever signatures definitions are already installed are out of date, leaving ever-expanding gaps in protection, with systems open to attack and exploit.

Ensuring protections are up-to-date as soon as a system is started has required re-architecting endpoint controls. The new approach keeps a locally installed agent on individual systems for scanning and evaluation purposes, but moves the task of maintaining signatures and policies to a centralized cloud-based server. That server performs the ‘heavy lifting' of keeping threat signatures up-to-date. As systems are instantiated in the cloud, the agent can begin evaluating suspect items with transactional queries to the centralized server. Protections are provided without sacrificing the cloud's speed and flexibility advantages.

Privileged Identity Management
Privileged users - trusted individuals such as administrators, consultants, and third parties with a need to access and maintain IT infrastructure - are responsible for a substantial number of system breaches. Those attacks can occur directly both as a consequence of a rogue user, or more often by an external attacker who's managed to compromise sensitive administrative credentials.

In our experience with organizations seeking to get control over privileged users, existing controls arguably don't work that well in existing datacenters. Too often, organizations rely on inherently insecure techniques like storing sensitive credentials in easily accessible spreadsheets, duplicating credentials across myriad devices and systems, and relying on shared administrative accounts, like root, that make it impossible to track individual user activity.

Moving those controls to the cloud simply expands the scope and scale of an already bad situation by orders of magnitude.

But even establishing a baseline set of privileged identity management controls won't completely address the requirements of cloud computing security mandates. Once again, the principal issue is speed. Traditional privileged identity management tools rely on static definitions of resources to be protected, along with associated user identifications and policy prescriptions. Those approaches can't keep pace when new systems are being spun up by the hundreds.

The solution here is automation - by integrating tightly with underlying hypervisor and cloud technologies, the PIM solution can automatically identify new resources as they are created. Once identified, controls can be established - passwords captured and placed under management, access controls established and enforced, monitoring implemented - all at cloud speeds and scale.

Broader Cloud Control Concerns
Migration to the cloud introduces a number of security concerns that apply regardless of the specific security discipline being implemented.

One area many groups overlook is the fact that in the cloud s particularly with metered services like Amazon Web Services - management consoles become de facto procurement systems. Spinning up systems and resources brings a cost, and while the individual expense might be small, uncontrolled spending adds up. Particularly in organizations where expenditures are tightly controlled as a matter of policy (or, in the case of governmental entities, law) this is an area requiring policies and controls.

Similarly, although more apparent, are the risks posed by new cloud technologies themselves. Existing controls don't factor into account the existence of resources like hypervisors and management consoles. These are completely new risks existing controls don't address, which must be addressed from scratch.

Many organizations also find that establishing centralized security controls brings benefits. We've focused primarily on speed and performance, but flexibility is another attractive attribute of the hybrid cloud. IT managers are able to evaluate multiple different platforms as part of their hybrid cloud portfolio, selecting the optimal environment for a system based on cost, scalability, privacy, and other factors. In some circumstances, workloads may even move from one platform to another. Providing consistent security management and controls regardless of the underlying technology, delivers benefits in terms of reduced administrative overhead and less risk of inadvertent gaps in protection.

Bottom Line
The hybrid cloud is an enduring architectural approach to enterprise computing, and with various shared security models and compliance mandates, it's clear IT and security executives will maintain a significant level of responsibility for the integrity of these environments. As we've seen, simply moving existing controls en masse to the cloud will frequently result in inadequate protection from attacks and compromises. It's essential security teams leverage next-generation security and compliance tools to ensure their controls are able to keep pace with the speed and flexibility inherent in the hybrid cloud.

More Stories By Dale R. Gardner

Dale R. Gardner is Director of Product Marketing at Xceedium. He's developed and launched multiple network, systems, and security management products for the enterprise market. A former META Group analyst, he started his career as a programmer and networking specialist.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@CloudExpo Stories
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that's no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, explored how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He expla...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With technology insights and real-world examples, in his general session at @DevOpsSummit, at 21st Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, explored how leading organizations use data-driven DevOps to close th...
Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams. In his session at 22nd Cloud Expo | DXWorld Expo, Daniel Jones, CTO of EngineerBetter, will answer: How can we improve willpower and decrease technical debt? Is the present bias real? How can we turn it to our advantage? Can you increase a team’s effective IQ? How do DevOps & Product Teams increase empathy, and what impact does empath...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software. They hope to capture value from emerging technologies such as IoT, SDN, and AI. Ultimately, irrespective of the vertical, it is about deriving value from independent software applications participating in an ecosystem as one comprehensive solution. In his session at @ThingsExpo, Kausik Sridhar, founder and CTO of Pulzze Systems, discussed how given the magnitude of today's application ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
You know you need the cloud, but you're hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You're looking at private cloud solutions based on hyperconverged infrastructure, but you're concerned with the limits inherent in those technologies. What do you do?
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is an internationally known DevOps and Cloud Transformation thought leader, technology executive, and author. Sanjeev's industry experience includes tenures as CTO, Technical Sales leader, and Cloud Architect leader. As an IBM Distinguished Engineer, Sanjeev is recognized at the highest levels of IBM's core of technical leaders.
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, discussed the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, application p...
Mobile device usage has increased exponentially during the past several years, as consumers rely on handhelds for everything from news and weather to banking and purchases. What can we expect in the next few years? The way in which we interact with our devices will fundamentally change, as businesses leverage Artificial Intelligence. We already see this taking shape as businesses leverage AI for cost savings and customer responsiveness. This trend will continue, as AI is used for more sophistica...
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
The past few years have brought a sea change in the way applications are architected, developed, and consumed—increasing both the complexity of testing and the business impact of software failures. How can software testing professionals keep pace with modern application delivery, given the trends that impact both architectures (cloud, microservices, and APIs) and processes (DevOps, agile, and continuous delivery)? This is where continuous testing comes in. D
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
"WineSOFT is a software company making proxy server software, which is widely used in the telecommunication industry or the content delivery networks or e-commerce," explained Jonathan Ahn, COO of WineSOFT, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.