SDN Journal Authors: Pat Romanski, Elizabeth White, Yeshim Deniz, Destiny Bertucci, Liz McMillan

Related Topics: @CloudExpo, Microservices Expo, Agile Computing, Cloud Security, @DXWorldExpo, SDN Journal

@CloudExpo: Article

Migrating On-Premise Controls to the Cloud

In the hybrid cloud, it's all about speed and flexibility

The scale and automation of cloud computing deliver economies of scale - and price points - that can't be matched by traditional computing platforms. Managers can minimize capital expenses and align operational costs to business demands with scalable, flexible resource deployments. Those same factors enable innovation through rapid prototyping and testing of complex systems that aren't feasible - or affordable - with established approaches. It's little wonder the cloud has emerged as the first choice of infrastructure for many IT managers and practitioners.

Security and compliance play just as critical a role in the hybrid cloud as they do in more conventional environments. So it's unfortunate that as organizations move operations to the cloud they tend to mirror the protection efforts they employ with their physical, on-premise systems. It's a mistake because in many cases existing controls don't migrate well to the cloud. As a result, they fail to provide the requisite protection and diminish - or even eliminate - anticipated cost and operational benefits of cloud computing.

The speed and flexibility afforded by cloud computing impact all aspects of IT. And, as with other disciplines, the very attributes responsible for the attractiveness of the cloud lead directly to the potential for failure. From a security and compliance perspective, trying to migrate existing on-premise controls and technologies directly to the cloud presents two distinct risks.

We'll look at specific examples, but a general concern with existing security controls is their inability to keep pace - and maintain protections - in the face of rapidly changing cloud-based environments. That limitation leads directly to unprotected systems, presenting unacceptable risks of loss, compromise, and compliance/audit failures. The alternative to this is to slow deployments in an effort to enable existing security controls to stay ahead of the environment. Since this additional operational friction risks eliminating most or all of the benefits of the cloud, it's equally unacceptable.

Let's look at some specific examples to see how the effort to move existing controls to the cloud can adversely impact security, and how those controls might change to ensure comprehensive, effective protection in the cloud.

Encryption of data, at rest or in transit, is a recognized best practice for ensuring confidentially and integrity of systems, and is mandated by a mix of contractual, audit, and regulatory compliance requirements. Most organizations rely on specialized hardware security modules, or HSMs, to perform these computationally intensive cryptographic functions and to protect the cryptographic keys used in the process. HSMs are appliances providing the specialized processors and algorithms needed to accelerate cryptographic functions like generating keys, encrypting data, and creating message authentication codes.

Identical requirements exist within the cloud - and HSMs remain the optimal solution to get the job done. The sticking point here is the migration of workloads to the cloud introduces unacceptable delays in interactions between processing systems and the HSM. Since HSMs are typically installed in a data center, requests from cloud-based applications must traverse the network, adding friction and delay.

Since the delay in interactions is the primary sticking point, this scenario is one where simply migrating the control to the cloud solves the problem. That's precisely what Amazon Web Services has done with their recently announced AWS CloudHSM offering. Powered by high-performance SafeNet HSM technology, the ready availability of an HSM within the cloud enables security teams to manage cryptographic functions with the required level of performance, and the additional assurance needed for the most sensitive data.

Endpoint Protection
Attempts to migrate traditional, agent-based approaches to endpoint protection haven't generally translated well, as a consequence of the dynamic nature of the cloud. Conventional endpoint protection technologies rely heavily on robust threat signature databases and policy definitions. These - particularly threat signatures - change rapidly, many times a day. Following an initial install and configuration, conventional systems simply maintain the currency of the database with frequent downloads and updates.

But that doesn't work with virtual and cloud-based systems, where standardized system images are spun up as needed. At the time they're started, a given system image may be days or weeks old. Whatever signatures definitions are already installed are out of date, leaving ever-expanding gaps in protection, with systems open to attack and exploit.

Ensuring protections are up-to-date as soon as a system is started has required re-architecting endpoint controls. The new approach keeps a locally installed agent on individual systems for scanning and evaluation purposes, but moves the task of maintaining signatures and policies to a centralized cloud-based server. That server performs the ‘heavy lifting' of keeping threat signatures up-to-date. As systems are instantiated in the cloud, the agent can begin evaluating suspect items with transactional queries to the centralized server. Protections are provided without sacrificing the cloud's speed and flexibility advantages.

Privileged Identity Management
Privileged users - trusted individuals such as administrators, consultants, and third parties with a need to access and maintain IT infrastructure - are responsible for a substantial number of system breaches. Those attacks can occur directly both as a consequence of a rogue user, or more often by an external attacker who's managed to compromise sensitive administrative credentials.

In our experience with organizations seeking to get control over privileged users, existing controls arguably don't work that well in existing datacenters. Too often, organizations rely on inherently insecure techniques like storing sensitive credentials in easily accessible spreadsheets, duplicating credentials across myriad devices and systems, and relying on shared administrative accounts, like root, that make it impossible to track individual user activity.

Moving those controls to the cloud simply expands the scope and scale of an already bad situation by orders of magnitude.

But even establishing a baseline set of privileged identity management controls won't completely address the requirements of cloud computing security mandates. Once again, the principal issue is speed. Traditional privileged identity management tools rely on static definitions of resources to be protected, along with associated user identifications and policy prescriptions. Those approaches can't keep pace when new systems are being spun up by the hundreds.

The solution here is automation - by integrating tightly with underlying hypervisor and cloud technologies, the PIM solution can automatically identify new resources as they are created. Once identified, controls can be established - passwords captured and placed under management, access controls established and enforced, monitoring implemented - all at cloud speeds and scale.

Broader Cloud Control Concerns
Migration to the cloud introduces a number of security concerns that apply regardless of the specific security discipline being implemented.

One area many groups overlook is the fact that in the cloud s particularly with metered services like Amazon Web Services - management consoles become de facto procurement systems. Spinning up systems and resources brings a cost, and while the individual expense might be small, uncontrolled spending adds up. Particularly in organizations where expenditures are tightly controlled as a matter of policy (or, in the case of governmental entities, law) this is an area requiring policies and controls.

Similarly, although more apparent, are the risks posed by new cloud technologies themselves. Existing controls don't factor into account the existence of resources like hypervisors and management consoles. These are completely new risks existing controls don't address, which must be addressed from scratch.

Many organizations also find that establishing centralized security controls brings benefits. We've focused primarily on speed and performance, but flexibility is another attractive attribute of the hybrid cloud. IT managers are able to evaluate multiple different platforms as part of their hybrid cloud portfolio, selecting the optimal environment for a system based on cost, scalability, privacy, and other factors. In some circumstances, workloads may even move from one platform to another. Providing consistent security management and controls regardless of the underlying technology, delivers benefits in terms of reduced administrative overhead and less risk of inadvertent gaps in protection.

Bottom Line
The hybrid cloud is an enduring architectural approach to enterprise computing, and with various shared security models and compliance mandates, it's clear IT and security executives will maintain a significant level of responsibility for the integrity of these environments. As we've seen, simply moving existing controls en masse to the cloud will frequently result in inadequate protection from attacks and compromises. It's essential security teams leverage next-generation security and compliance tools to ensure their controls are able to keep pace with the speed and flexibility inherent in the hybrid cloud.

More Stories By Dale R. Gardner

Dale R. Gardner is Director of Product Marketing at Xceedium. He's developed and launched multiple network, systems, and security management products for the enterprise market. A former META Group analyst, he started his career as a programmer and networking specialist.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@CloudExpo Stories
@DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises - and delivering real results.
DXWorldEXPO LLC announced today that Dez Blanchfield joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Dez is a strategic leader in business and digital transformation with 25 years of experience in the IT and telecommunications industries developing strategies and implementing business initiatives. He has a breadth of expertise spanning technologies such as cloud computing, big data and analytics, cognitive computing, m...
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 C...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Daniel Jones is CTO of EngineerBetter, helping enterprises deliver value faster. Previously he was an IT consultant, indie video games developer, head of web development in the finance sector, and an award-winning martial artist. Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams.
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Digital transformation is about embracing digital technologies into a company's culture to better connect with its customers, automate processes, create better tools, enter new markets, etc. Such a transformation requires continuous orchestration across teams and an environment based on open collaboration and daily experiments. In his session at 21st Cloud Expo, Alex Casalboni, Technical (Cloud) Evangelist at Cloud Academy, explored and discussed the most urgent unsolved challenges to achieve fu...