All aboard! If you have any professional stake in the digital experience of your customers, partners or employees, you are already ticketed as a passenger on the journey to hybrid cloud environments, whether you planned it or not.
A few early adopters booked this trip way in advance, bravely traveling to uncharted territory for the adventure of finding new competitive advantage. The rest of the business class is aboard this journey to cloud despite the known and unknown risks.
One certainty drives everyone to go. Staying behind and failing to digitally transform and keep up with the competition guarantees hardship.
Arriving successfully therefore becomes a board-level issue. We want to make this journey to cloud as safe as it can be. But total assurance is in shorter supply than ever, because we’re not talking about one cloud vendor, or even one paradigm of cloud deployment anymore.
We’re talking about multiple clouds, and many more systems that are not cloud. Public and private clouds, on-premises systems, distributed storage, container deployments, hyperconverged infrastructure and remote SaaS applications, software-defined networks and edge computing, interacting with mobile and IoT devices.
Just a few scant years ago, it was hard to envision how this rapidly evolving hybrid cloud future would become a resilient and secure place to conduct business. Intrepid explorers have already arrived.
How can enterprises who haven’t left their largely monolithic environments still assure a safe passage to a hybrid cloud today?
Why do we need to go to hybrid cloud anyway?
The initial wave of cloud computing adoption was largely driven over the last decade by economics and agility. Cloud allowed businesses to scale applications on-demand, flexibly spin up server instances and consume compute and storage resources from a multi-tenant infrastructure on a pay-as-you-go basis, rather than investing in on-premises infrastructure.
New disruptive companies like Netflix, Uber and Airbnb were constantly held up as early cloud adoption success stories, for building high-growth app-based businesses specifically designed to scale and serve millions of customers through public cloud IaaS providers like AWS.
Early on, some experts refuted the whole concept of a private cloud as a half-measure of success. After all, if you make a CapEx investment to build a private cloud with as much capacity as you need, you are only building and managing another data center, right?
Not so for most larger enterprises with a desire for cloud transformation while respecting the need to securely conduct ongoing business.
Companies in highly regulated industries such as finance and healthcare couldn’t just push management of internal processes and private data out to a third party. Enterprises had difficulty squaring the governance and compliance needs of their core systems while ‘lifting and shifting’ them somewhere else. High-performance applications required regions in the closest possible proximity to users.
Private clouds began to rise in earnest, as leading infrastructure vendors and cloud service providers (CSPs) began to deliver more robust management platforms, with internally shared compute and storage, running VMs on lower-cost commodity infrastructure.
The movement to Kubernetes-based orchestration of containers and microservices only accelerated the ease of encapsulating application environments that could run anywhere, even on bare metal. If agility and cost efficiency is available by mixing multiple flavors of private or public cloud and bare metal, and K8s provides a reference architecture for any of these options, why choose just one?
Enterprises will seek to provision applications using on-premises environments and public cloud computing resources, as well as leveraging external SaaS and partner managed services, in a hybrid IT model, allowing them to run application workloads where they best fit the business need.
Risks on the Hybrid Cloud Journey
What are the primary pitfalls of securely moving your business, and the workloads it must support, to this hybrid cloud future state?
Cloud vendors selling a map for success: ‘It just works.’
There are many interpretations of what constitutes a hybrid cloud, but one thing is certain: almost every enterprise (about 82% or more already) claims to use hybrid IT resources for running some aspect of their business, and all enterprises are increasing cloud investments. With as much as 30-40% of global IT budget now being directed to cloud initiatives, expect vendor claims of rich ROI rewards to grow in an attempt to capture a share of the evolving cloud market.
In all fairness, we see amazing strides in the capability and speed of cloud migration and deployment solutions. Integration partners and CSPs can add expertise, selecting from the latest tools and platforms, including readily available commercial and open source components.
Some companies can stand up a new managed cloud infrastructure within a day from a virtual datacenter. Others use a multi-cluster container deployment that runs anywhere. Other partners are delivering cloud services at the edge, through software-defined network layers, which can blur the lines between different forms of deployments.
The seeming ease of cost-saving migration belies a lack of risk awareness. Excepting net-new apps without legacy integration, or rather simple VM clients running desktop software, no serious cloud environment is an island.
In enterprise-scale hybrid cloud, there will always be incompatible systems that refuse to be ported to certain cloud environments, external services connected via APIs, and specific workloads that for various compliance reasons must run on private infrastructure.
Here’s the rub. You can’t really buy a secure hybrid cloud platform from one vendor. The “hybrid” aspect means you run application workloads on whichever internal servers, private cloud, SaaS, PaaS or public cloud IaaS platform works best. So you may look at your itinerary to hybrid cloud, and soon find you have three clouds, or five clouds to manage.
Bandits and saboteurs: Threat defense is still the top priority
A recent survey of enterprise CIOs reveals that cybersecurity — not cost control, not agility — is the top priority as they consider hybrid IT approaches.
The dedicated datacenter had the strongest risk posture, with well-defined network security and physical separation. Later, with a single cloud provider, you could consider the risk of multi-tenancy or adjacent applications, but at the same time lean on the provider to hold its own against attacks with more vigor than most InfoSec teams could afford.
Hybrid cloud, with its self-scaling and serverless architectures, API calls and workloads that touch on- and off-premises systems, seems to open up an infinite number of attack vectors for increasingly sophisticated hacks. One recent ransomware attack at shipping giant Maersk cost more than $200M to repair, and another at the big pharma company Merck wiped out an estimated 14 thousand VMs in 90 seconds.
With new threats self-evolving at this rate, security teams don’t stand a chance of reacting in time if they wait for the next alert to arise on their monitoring dashboards.
Compliance authorities: Chasing a moving target
Following hot on the heels of cybersecurity threats comes an arresting need for compliance, with government regulation as backup.
Fail to comply, and you might face fines or sanctions. Or your journey might end right here.
Industry regulations such as HIPAA in healthcare, banking laws for securing PII, and corporate governance rules were not designed to cater to the difficulties of hybrid cloud. In some sense, compliance is partially responsible for hybrid cloud, as it mandates the need for control over where certain remote computing environments and data can run.
GDPR, the new EU privacy law now in effect, was basically a shot heard around the world. Governments will favor the rights of customers to delete their own data, rather than the company’s rights, and other global authorities are taking similar measures.
Compliance can extend beyond security and data management concerns, to include requirements for improved fault tolerance and backups for mission-critical systems that need to remain highly available and resilient.
Clueless fellow travelers: The human attack surface
As with any perilous journey, whether sailing across the ocean or climbing a mountain, unprepared traveling mates can ruin the best laid plans. Human negligence is in fact the leading cause of security and data breaches in business today, responsible for an estimated 40-50% of all reported issues.
Keeping employees in synch with secure practices is difficult in an age where workers might use public Wi-Fi for confidential work at the Starbucks and have their smartphone hijacked with the greatest of ease.
With workforces becoming more mobile and distributed every day, and an increased reliance on shared partner and customer access to cloud-based shared systems, what can businesses do to close all the vulnerabilities of this gap?
Safer Journeys with Policy-Based Risk Management
Since we are likely committed to this hybrid cloud journey despite the risks, what can we do to improve our risk posture as we move to such a heterogeneous world?
Seek automated visibility across the hybrid cloud threat surface
Many vendors make silver-bullet claims about how the ease of migration or integration to a given cloud platform automatically means security and risk becomes easier to manage over time.
Realize that in moving to an enterprise-grade hybrid cloud, you are not talking about securing two dimensions, i.e. public vs. private cloud, or on-prem vs. off-prem. You are actually looking at incorporating 4 different kinds of technology stacks, connected by a new, software-defined network edge that can blur the lines between them to create a very broad threat surface:
- CSPs (Cloud Service Providers) who manage multi-tenant environments on the client’s behalf as a platform, provisioning workloads and storage from the major public cloud providers like AWS, Azure or Google Cloud as well as their own dedicated resources.
- Enterprise DCs (datacenters) the majority of which contain large collections of VMware hypervisors, HyperV, and OpenStack/KVM images, each of which may have cross-compatibility and volume issues in moving to certain cloud and containerized environments.
- Hyperscale cloud (or Hyperconverged Infrastructure/HCI) vendors that encompass on-premises and managed off-premises infrastructure for massively scaling storage and compute capacity, now with additional edge computing and connectivity options.
- Private cloud, essentially a white-glove service for managed dedicated cloud resources for the enterprise. With major vendor offerings from VMware, Citrix and IBM and many other players, this is the highest growth category of the enterprise cloud market over the next 5 years.
There are still incompatibilities between these four hybrid cloud models, and between many of the vendors and technologies that support them. That is one of the primary drivers of widespread adoption of Kubernetes clusters and microservices architectures, which layer on their own unique sets of governance and security challenges.
When embarking on a risk management strategy, look for intelligence, automation, and ease of implementation as on-ramps to a hybrid environment.
Seek the ability of intelligent automation to conduct self-discovery and monitoring of all the networked assets to be included in your hybrid cloud. Integration of your applications is already hard enough without creating additional development, customization and manual detection/resolution work for security and compliance.
Travel beyond monitoring and alerts with proactive response policies
Visibility and threat detection alone can do little to ensure safe passage, as today’s attacks can evolve and spread across a networked multi-cloud environment of devices, applications and data centers faster than humans can possibly react.
You will still need the typical trappings of application, datacenter and network security: firewalls, load balancers, authentication, authorization, network monitoring — but these essential functions can’t accompany us all the way to safety on this journey.
True resiliency in hybrid cloud requires continuously running intelligent policies that can watch the dynamically changing hybrid cloud environment, learn to recognize any sign of irregular behavior, and seal off vulnerabilities, hopefully well in advance of an exploit.
And should an attack occur, proactive policies need to instantaneously detect it and step in, stopping or quarantining processes to reduce the blast radius, so investigation and remediation can happen before returning to normal operations.
As companies deploy workloads onto MPLS and WAN networks and extend the IP addressing space to encompass an extended hybrid cloud, these security, network and control policies need to move with and accompany the workloads in a cloud-native way, wherever they run.
Manage to a secure SLO for compliance
Investments in enterprise IT security are often driven by compliance and risk management concerns. So why not adopt a compliance posture that works to your advantage in justifying the investment of moving to hybrid cloud?
We’re all familiar with the service level agreements (SLAs) we negotiated with any individual service provider or vendor: “The system shall have five-nines uptime, fault tolerance, audited security, no data loss or theft, GDPR compliant, or the vendor shall pay a penalty of… etc.”
Now we’re operating on a much bigger scale, and SLAs only set the baseline requirements, rather than the risk mitigation level we really want.
Service Level Objectives (SLOs) set more proactive goals for our security and compliance against the entire global Hybrid IT environment, and all the hosting providers, applications and services it touches. Like SLAs, SLOs can be defined, managed and reported against as secure policies.
The collection of all of these policies together forms a secure risk posture, as well as a way the business can take control of compliance.
Acclimatize your team for readiness
None of the above measures can protect a team that isn’t properly prepared for the journey.
Even the smartest security and compliance measures can still lag behind emerging threats and errors, so reducing the ‘human attack surface’ of your extended organization is critical. Make it a priority to instill a shared awareness of risk management policies and secure best practices among all participants that touch your extended infrastructure, even if they aren’t managing security.
Training and mentorship on security and Hybrid IT architecture must go hand-in-hand with consistent reporting on compliance, and employee and partner incentives for achieving security and compliance goals.
The Intellyx Take
“When you come to a fork in the road, take it.” – Yogi Berra
We’ve left the harbor now and chosen our direction.
With the pressures of performance, proximity, price, and regulations converging to drive enterprises to adopt hybrid cloud environments, one thing is clear: There’s no going back.
Businesses need a safe passage to hybrid cloud.
We’ll never be able to survive the journey if we oversimplify the ease of integration to cloud, and overlook the requirements of managing risk, security and compliance in the new, hyper-scaling, ever changing environment we are heading into.
Expect threats to continually emerge and evolve, at rates beyond human response time. Put secure response policies and SLOs front and center, with clear visibility, intelligence and automation to think ahead of any exposure.
And remember, risk management isn’t just about avoiding costly mistakes. There’s quantifiable value to measure by delivering trusted applications in hybrid IT environments at speed and scale.
©2021 Intellyx LLC. At the time of writing, none of the organizations mentioned in this article are Intellyx clients. Intellyx retains full editorial control over the content. Image credit: Juantiagues, Anciados, flickr CC 2.0 license.
