Server provisioning has historically played a key role in IT’s control over enterprise systems: IT approved and provisioned developers’ requests for compute resources, enforcing security controls and policies along the way.

Cloud technologies are being adopted widely, creating hybrid environments. Cloud undermines the traditional provisioning model; developers can now allocate resources themselves with the swipe of a credit card. The cloud’s hyper-scale and automation provide flexibility and virtually infinite scale, which enterprise IT must harness while protecting corporate IP and data.

Forward-thinking IT organizations from the world’s biggest banks, media, and retail companies are moving quickly to seek the cloud’s advantages while maintaining control over enterprise assets. This article explores the challenges enterprises face in the hybrid world, as well as the approaches emerging to solve them.  

The hybrid cloud is complex
The diverse environments of hybrid cloud create massive complexity. Agents and virtual appliances are unwieldy and difficult to manage. Perimeter defenses like firewalls are no longer sufficient and networks need to be protected internally, but segmentation can create traffic jams or go the other way, allowing too many actors in. Data and workload portability compound these risks. Meanwhile, separation of duties vanishes as developers deploy resources in multiple environments without IT’s knowledge.

IT needs to replace traditional enforcement methods so that cloud resources are properly accessed, provisioned, secured, operated, and monitored.

Existing solutions are inadequate 
The cloud’s complex, varied parameters render conventional security enforcement mechanisms inadequate. The three methods by which security controls and policies are enforced on hybrid clouds come with issues:

Provider-based securityEnterprise IT sometimes employs a cloud provider’s security controls while maintaining their existing set-up on private clouds. For small companies that use a single public cloud with few regulatory restraints, this can be a viable option.

However, adding environments increases complexity, as IT must manage various security postures. Further, for firms subject to regulatory security concerns (e.g. HIPAA), provider-offered encryption often raises objections. Finally, for provider-based security to work, developers shoulder some of the burden of implementation.

AgentsAgent-based solutions present another option. Unfortunately, IT runs on a simple truth: “If it’s slow, they’ll turn it off.” If agents incur a significant performance or operational penalty—remember encrypted email?—users will likely deactivate them or find workarounds.

Additionally, though agents can provide insight into activity on workloads compromised during an attack, malware can disable them upon installation, undermining that advantage.

Virtual appliancesThis third set of solutions enforces security using virtual appliances, which are unsuited to the highly virtual hybrid cloud. They are unscalable, as a virtual appliance must be placed every few instances. Additionally, virtual appliances degrade performance by creating chokepoints mitigated only with control over hardware appliances.

Workload protection provides the solution
Due to these challenges, hybrid cloud environments must be secured differently than independent public or private clouds.

“Workload protection platform” is a catchall term for hybrid cloud security architectures that’s gaining momentum in the industry. Enforcing policies using workload protection can enable a single policy framework across environments, but it must meet four core requirements:

1. Remains consistent across hybrid clouds

Consistency is the defining design principle behind hybrid cloud security solutions. In on-premises environments, no one would use Cisco and Juniper in one data center, and another set of providers elsewhere. Yet firms manage multiple sets of controls in their hybrid environments.

Security policies must be enforced consistently everywhere developers work, minimizing IT’s operational overhead.

2. Enables separation of duties

Separation of duties is critical to the cloud, yet under-discussed. IT needs the ability to enforce security controls and policies without disrupting the end user experience that cloud offers developers.

Ensuring separation of duties requires that IT security enforcement be transparent; like SSL in browsers, developers shouldn’t notice it’s there. Using virtualization to deliver security offers this benefit. When inserted above a cloud provider’s hypervisor, a virtualization layer provides an IT enforcement point with all the benefits of cloud provider-based security, but without the compromises of multi-tenancy and single platform limitations. Solution providers should insist that this virtualization layer be lightweight—for example, nested virtualization is a virtualization-based approach but incurs significant performance penalties

3.Provides operational simplicity

Three constructs deliver operationally simple workload protection:

First, policy deployment must operate in concert with existing cloud workflows. Deploying tags on resources, and writing policies on those tags, is one way to achieve this. Already common to the developer workflow, tags define deployments on AWS, GCP, and others. These tags remain with assets if they are copied or moved. An example of policy written on tags is, “environments tagged ‘dev’ can only communicate with other environments tagged ‘dev’.“ Written like this, policies can be general like the above, or extremely granular, written to control specific ports, databases, or volumes.

Second, policy enforcement should be decoupled from network constructs. Implementations like VLANs and subnets become incredibly complex to manage when spread across heterogeneous environments. Tagging allows policies to be written on workloads, applications, and data instead of conventional constructs like IP addresses.

Third, policies should be cryptographically enforced. In any environment, but particularly across hybrid cloud, IT must deal with the risks of malware, malicious insiders, and mistakes. Encryption of data at rest and/or in motion protects enterprises from these threats, satisfying regulatory requirements for financial services, healthcare, and other large enterprises. Tags allow policies to be enforced cryptographically, with the solution checking decryption requests against policies in a centralized control plane before actually decrypting any resource. This yields automated, error-free policy enforcement, with the added benefit of always-on encryption that doesn’t impede developers or alter their workflow.

4. Protects the full workload

Finally, a weakness shared by existing 3rd party enforcement mechanisms is that they deal primarily in network constructs—through IP tables, VLANs, and others. While this is an effective method of protecting the perimeter and creating segmentation, it fails to ensure storage or compute security. Even with network-based protections, data can be moved or copied, and instances can be booted. Without protecting the full workload—network, storage, and compute—existing solutions cannot fully meet the unique security needs introduced by hybrid cloud.

Tagging resources, be it data, network links, or instances, and then crypto-enforcing policies on them allows security platforms to both simplify cloud operations and provides a measure of IT control over the full workload.  

Conclusion
The operational complexity and risk introduced by hybrid environments is significant, but given the advantages of the hybrid cloud, adoption will continue to increase. Enterprises require a single policy framework across environments—and soon. Solution providers must make consistency, separation of duties, operational simplicity, and full workload protection the core of security solutions in the cloud. When enterprises demand it, workload protection platforms will offer the scalability of cloud-based solutions, the host-based context of agent-based solutions, and the flat network appeal of virtual appliances—all in one solution. This powerful architecture allows enterprises to leverage the hybrid cloud with IT control over security, without disrupting developer workflows.

About Vinay Wagh

Vinay Wagh is senior product manager at Bracket Computing. A veteran manager and engineer from Cisco and NetApp, he has extensive experience in virtualization, networking and storage technologies as part of development teams for industry-leading products including NetApp Data OnTap and Cisco's IOS-XR.