Hybrid Cloud Security Is Bastionless (or “Who Moved My Moat!”)

When we look at the Secure Hybrid Cloud, we notice a few things immediately, such as the need to look at how the data is moving, where the users are going, and the fact that they may never touch the data center component of the cloud at all. Our worldview has to change to be more user-, app-, and data-centric. Hybrid cloud security fails if we continue to consider our data center protections enough, as the bastions have moved and we may not know how that happened.

When we look at the hybrid cloud, we may not see all of it immediately. Actually, most security professionals look at this diagram (below) and proclaim that we are protected. They believe this because they think they can control all cloud interactions by forcing all traffic through their HW Edge firewall (Figure 1), when in reality the user may never touch the datacenter HW Edge firewall. For example, the user may access their SaaS Cloud via a smartphone and end up directly within Salesforce or somewhere else such as Dropbox.

Secure Hybrid Cloud
Figure 1: Secure Hybrid Cloud

Figure 1: Secure Hybrid Cloud

There are three parts to our secure hybrid cloud that are of interest:

However, that is not my use of the HW Edge. In some hybrid clouds, the HW Edge is nothing more than a gateway into the cloud from some physical end user computing devices, such as desktop computers, but the HW Edge may not be used for anything related to mobile devices. This implies that the vast majority of user interaction may never go through our HW Edge device.

Hybrid Cloud Transition: The Wild West

The hybrid cloud transition, as we discussed previously (see right), is the critical component of any secure hybrid cloud, as it is the area of the design that tracks user interaction, data motion, identity, etc. However, we can never forget the data center, either, regardless of how it is used. It could be a full-blown data center with thousands of systems, or it could be nothing more than a short stack of switches and a gateway for an office that uses only wireless devices. If it helps, consider remote office back-office (ROBO) deployments as the data center of the future. Very little remote data, all talking back to—yes, you got it—a cloud service and not actually a data center in your control.

So, the question arises: how do you apply controls within this new model? One method is to control how administrators   access the cloud services; however, when you control your administrator access, the Wild West looks less wild. We all say to access our bank accounts from well-known locations; accessing the security controls of a cloud are just the same. Perhaps, all we have done is started a virtual desktop into which we have installed the necessary security management and automation software. From there, the software is like a spider. It automates the controls surrounding all aspects of the cloud, and in addition, you gain some level of auditable control over what administrators are actually doing within your secure hybrid cloud.

Control over users is a bit different and is where continuous monitoring, analytics, and good choices for cloud services come into play.

To gain control of at least your administrators, you must first understand how the cloud is being used, as well as which services are in use. Once you know this, you can properly choose the controls for the environment or at the very least monitor what is happening within the environment.

Closing Thoughts

You can gain back control of your secure hybrid cloud, but it will take quite a bit of work. You will want to understand what is currently in use, perhaps using tools from Sky High Networks. You then need to understand what data is proliferated around your hybrid cloud, perhaps by interacting with users and determining how they use cloud services. But the very first step is to perform some form of data classification, as you do not want to waste your time securing something that is not classified and unimportant. However, with proper data classification, you can then determine next steps.

Use the hardware edge firewall and security devices properly; do not assume all data moves through this device. Instead, assume that the only data moving through this device is the data that is already on-site and is perhaps migrating out to the cloud. Part of this understanding will start with data classification and end with understanding of user-,app-, and data-centric security, which moves the moats much closer to the data.

Have you classified your data? Do you understand how your data moves in and out, as well as around the clouds your organization uses?