Securing the Hybrid Cloud

The secure hybrid cloud encompasses a complex environment with a complex set of security requirements spanning the data center (or data closet), end user computing devices, and various cloud services. The entry point to the entire hybrid cloud is some form of End User Computing device whether that is a smart phone, tablet, laptop, or even a desktop computer. Once you enter the hybrid cloud, you may be taken to a cloud service or to your data center. The goal is to understand how the data flows through out this environment in order to properly secure it and therefore secure the hybrid cloud, but since it is a complex environment, we need a simpler way to view this environment.

To try and simplify the environment there are three basic goals:

  1. Show the types of places security can be placed
  2. Show the type of security that can be placed
  3. Show that there is more than one type of security required

In answer to these three questions we now have the following diagram. Figure 1 (click on the image to expand) splits the hybrid cloud into three distinct components.

Secure Hybrid Cloud
Figure 1: Secure Hybrid Cloud (click on the image to expand)

Secure Hybrid Cloud – Transition

Since the main entry point to the hybrid cloud is the end user computing device, we enter into what I have called the transition part of the hybrid cloud.  The transition component of the hybrid cloud holds all those elements that are in effect decision points on where to get or send our users and data. Let us look at each transition component:

End User Computing – The End User Computing device is any device the user is currently using to do their daily work for their organization, family, etc. Onto these devices we can generally place end point security in the form of mobile device management and other security related agents. We may even place a mobile hypervisor that allows access to an encrypted virtual machine. In either case, the device can log data through an agent to some logging server for later analysis. (VMware, Citrix, Mobile Iron, RSA, Bromium, McAfee, Symantec, Trend Micro, BitDefender, and others play in the EUC space).

Identity/Authentication and Authorization – Identity is a large part of securing access to the hybrid cloud, our identity store upon which we perform authentication and possibly authorization can live within a cloud such as SalesForce (for McAfee Cloud Trust) or within active directory or some other LDAP service within the data center or even within another IaaS cloud. Companies like Trusteer use a storage cloud plus some agents to maintain a store of identity for the servers that users end up accessing. Identity does not always imply a person, but could be used by software, hardware, and users. Identity can combine username, passwords, device, and location of the device into their ability to authenticate and authorize users. (Intel, RSA, IdentityLogix, Symantec, and others play within the Identity space)

Gateways/APIs – Critical to any hybrid cloud are the APIs used to communicate between the components. APIs also need to be secured, as does the data moving between the clouds. Some ways to secure such data is to encrypt it using encrypting gateways. These gateways could be devices (such as CipherCloud) or they could be running within the end user computing device (such as from Vormetric), but each act as a form of gateway through which data flows and has a security context wrapped around it. The APIs used to move the data may need to be secured using outside means or via limiting access to those APIs. (CipherCloud, Symantec, Vormetric, HighCloud Security, AFORE Security, and others play in the Gateway/API space)

Data Protection – In the past, data protection and security seem to be different things, usually run by different teams within an organization, but data protection is an integral part of a hybrid cloud. Data protection currently makes use of cloud services as a backup and replication target to provide a mechanism for disaster recovery and business continuity. As such Data Protection is often about data availability and as such is a part of hybrid cloud security as our data is now proliferated outside our own bastions. (Zerto, Veeam, Symantec, PhD Virtual, Dell, Quantum, and others play in the Data Protection space)

In all these transitional components of the secure hybrid cloud we would be lucky to log all actions and apply some form of end point security. In some cases security is limited by the tools we choose to use. We can only get the logging that is provided by the application and if the transition component is a device, we may not be able to apply any form of additional security measures within the device.

Secure Hybrid Cloud – Clouds

When we look at the cloud components of our secure hybrid cloud we are severely hampered as to what security measures we can implement within those clouds. We often have to trust that the cloud is doing the proper things. That trust is built upon reports about compliance, policy adherence, and written and perceived work flows. There are generally four types of clouds.

Software as a Service – SaaS clouds have severe limitations on what you can do to secure the environment, specifically you can encrypt data as it enters the SaaS, using some form of format preserving encryption, or use the SaaS API (if one exists) to access Log data to determine what has happened within the SaaS environment. You can also use a proxy service such as VMware Horizon to control Identity while allowing access to the SaaS. You have to apply security outside of SaaS as you are limited by what the SaaS provider allows.

Platform as a Service – PaaS clouds also have limitations that are slightly different than SaaS clouds. While you cannot normally add in much security components, you are afforded the opportunity to add logging and end point security into your application. If you own the instance (such as with a private PaaS environment) you can also add much more within the platform. PaaS limits you to what the platform provides and allows.

Infrastructure as a Service – IaaS clouds allow you nearly the full spectrum of security functionality. You can add into IaaS anything that is above the hardware and the hypervisor. Which implies any security tool that attempt to make use of hypervisor introspection such as VMware vCloud Network and Security App will not generally be allowed (unless the cloud in question is actually vCloud).  IaaS can be looked at as providing you with access to an environment where you control the virtual machines and do not have much control over the network outside those virtual machines. However, it is possible to create networks and use routing rules to force your traffic through security appliances (much as you would with physical hardware). With IaaS, logging of events is up to the owner of the IaaS tenant.

Storage as a Service – Storage as a Service is fairly unique in that it is usually only a repository for data and such does not allow much to be secured. The security of the data you add into Storage of the Service needs to be done prior to addition by looking at how your data is classified and encrypting as necessary. The owner of the data must control all encryption keys regardless of what the cloud provider does. Even so, you want your storage as a service provider to provide access logs of file or object accesses, changes, and removals by user and device.

Secure Hybrid Cloud – Data Center

The final part of any hybrid cloud is the data center itself (left side of Figure 1 above) and is the one place where all your security controls for hardware as well as software can live. However, for the data center that is part of a hybrid cloud, that data center is also a cloud of sorts with multiple tenants which could be different organizations, trust zones, or even different businesses. It all depends on how tenant is defined within your organization. If the organization was a service provider, then tenants are customers. If the organization was a government, then tenants would be different departments which may have different security classifications and the cloud itself would fall under the highest classification of data available. Which implies, classification at least is part of the tenant definition. In all cases, there is a need to provide security for some fairly specific components of a data center with respect to the hybrid cloud.

Management – The Management virtual data center/tenant/trust zone/workloads is the crucial part of any data center as it generally contains the keys to the kingdom. Access to the management components implies access to all else. To secure management layers we employ logging and monitoring, end point security tools ( Symantec, Trend Micro, BitDefender, etc), management specific proxies (HyTrust, Xceedium, etc.), automation tools to remove the human element from repeatable tasks, Edge security services, and virtual network security services.

Tenant – The tenant contains workloads, the applications that run within the data center and are managed by the management component of the cloud. They are secured in much the same way as  the Management workloads are secured but with a slight difference, they do not own the keys to the kingdom but they do generally own the keys to the data and as such need to employ security mechanisms to limit access to the data. However, the ways to implement the security are the same: logging (Splunk), endpoint security (Symantec, Trend Micro, BitDefender, etc.), proxies (application or access specific such as Xceedium), automation tools (Puppet Labs, Chef, etc), edge security tools (such as load balancers, firewalls such as from Catbird, VMware, etc.), virtual network controls (such as from VMware, etc.)

Hardware Security – Hardware security still plays in a hybrid cloud as the physical network fabric should still be protected and there is a need to segregate management access from workload access and control how storage is accessed as well as the transitional parts of our secure hybrid cloud.

Multi-tenant Storage – All storage within our hybrid cloud needs to be multi-tenant which implies one tenants data can not be seen, manipulated, or removed by another tenant. Storage is generally a shared resource within a data center and is presented to various compute nodes within the data center, how that is presented, why that storage is presented, and what is presented to each tenant or transitional component needs to be investigated, understood, and controlled. Splitting storage by tenant is one way to achieve this level of control.

Multi-tenant Logging – All log data from all layers of a hybrid cloud (whether from the cloud or the transitional components) should end up within a centralized logging tool that knows how to split the logs by tenant, component, and location. This way log data can be shared with tenants so that the tenants can do further analysis as necessary. At the moment, there is a serious deficiency in how log data is marked, it is not currently by tenant. Splunk, RSA, HP, and others play in this space.

Multi-tenant Analytics – Security Analytics is a growing field as there is available for analysis terabytes if not petabytes of log and monitoring data available and there is a need to analyze this data in real time for up to the moment determination of security events for further research. Unfortunately, just like log data, analytics does not have a means to divide up the data by tenant as it not only needs to look at the entire foot print of the hybrid cloud, but often attacks cross tenants, organizations, trust zones, etc. Splunk, RSA, HP, and others play in this growing space.

Closing Thoughts

This is a guide to where you can place security within a hybrid cloud as well as a way to further look at where you data is going. This guide is designed to show the types of places security can be placed, show the type of security that can be placed,  show that there is more than one type of security required, as well as simplifying a complex environment.  The guide also points out that there are some deficiencies with current technology with the respect to multi-tenantcy. As we move to the cloud, our log, monitoring, and security events data must become multi-tenant so that data can be shared between the hybrid cloud and those that own the cloud.

There may even be a fifth transitional component that I would currently place under gateways and that is a way to share threat data between all components of the hybrid cloud as well as with other hybrid clouds.

Where do you put security within your hybrid cloud?