At InfoSec World 2016 in Orlando, I will be speaking on a model for securely moving to or developing for the cloud. A good model tells you not only what to consider when developing for the cloud, but also what surrounds that application. Knowing what surrounds the application is often required when moving to the cloud. As such, we combine them into one model that covers the basics necessary for a secure cloud deployment of any application.
Any model needs to deal with both the security needed to migrate into the cloud and the day-two and day-three actions required to maintain not just the cloud but the security within any cloud. In essence, such a model helps you think outside the box by providing questions to ask of your cloud, your application, and your deployment where security is concerned.
And not just security, but also the ins and outs of various aspects of security, ranging from identity to the internal segmentation firewall. The model based on my existing secure hybrid cloud high-level architecture (and logical architecture) I have written and spoken about before. Now, we have a new way to use this architecture. Figure 1, below, shows the 30,000-foot view of the architecture.
There are some items in any secure hybrid cloud that live within a data center, others that live within the cloud, and still others that can live in either location depending on need. There are compliance issues to consider, as well as compensating controls. In order to move to the cloud securely, the first thing we need to do is understand the security and compliance requirements of existing applications and workloads.
This base understanding will be the ultimate guide and help fit things into the model that will be presented.
It is trivially easy these days to migrate to the cloud using technology from HotLink, Cloud Velox, Quantum, Zerto, Veeam, and others. A large number of possible solutions are available to aid in migrating to the cloud. However, not many aid in the day-to-day security controls required. These are almost never part of automated migration. Thus, we need to understand several things about the application and the target cloud:
- What are the application security controls required?
- What security controls does the cloud provide?
- What level of visibility does the cloud provide?
- What level of visibility is provided by the application?
In essence, we need information. With that information, we can look at the cloud, look at the application, and using our model, determine what should be added or changed to complete the picture. Take identity as an example:
In our data center, we may use Active Directory to manage identities. If we migrate to the cloud, will the cloud be able to use the identity management systems, or will it need a new set of tools that synchronize with the cloud-based services? What, ideally, is required to ensure that identity works as well as expected?
The goal with this model is to help answer some of those questions in order to ensure the proper controls are in place, to provide the proper starting point for your thoughts on cloud migration, to offer a tool to use to add even more security as necessary, and to facilitate an understanding of why parts are not necessary.
We need to consider thinking outside our boxes when migrating to the cloud or even developing for the cloud. For that, we need some assistance in knowing at least the minimum to consider.
Tell us how you migrate securely!