The movement of data and workloads to the cloud has been more like a headlong rush. In the quest for a competitive edge, businesses are clearly eager to take advantage of the agility and elasticity the cloud affords them – so much so that security is often an afterthought. But hey, isn’t the cloud provider taking care of that?
Some companies are surprised to hear the answer is no, at least not entirely.
Cloud and Infrastructure as a Service (IaaS) providers operate on a shared security model. As we talk with customers and prospects, we are stunned at just how many companies, even large and sophisticated ones, have trouble wrapping their minds around this concept. Security is a shared responsibility between the provider and the user, and the responsibilities are fairly well delineated in most cases.
Public cloud providers; for example, make a distinction between security “of” the cloud (the provider’s responsibility) and security “in” the cloud (the customer’s). In general, the provider is responsible for securing the cloud infrastructure – hardware, software, networking and physical facilities. Users are responsible for securing their own operating systems, applications and data.
Here is where things get a little murky: Cloud providers may offer tools for securing your own assets, but if you choose to use those tools, you are responsible for configuring and managing them – not the provider. Bottom line, cloud customers need be proactive and scrupulous in understanding the full extent of the provider’s security capabilities, then figuring out what they need to do in order to hold up their end of the shared security bargain.
The Challenge of Micro-Segmentation
Increasingly, the modern data center is a hybrid of on-premise, private cloud and public cloud environments that house an array of physical servers, virtual machines and containers. This poses a complex challenge for security teams: how to protect applications and workloads as they move among multiple environments and providers with widely varying security standards and capabilities.
The chief driver of cloud security these days is compliance. At the urging of auditors, security teams are actively exploring micro-segmentation as a best practice for meeting compliance requirements. But many organizations find it a challenge to implement. The main impediment is a lack of visibility into data center assets, workflows and processes, even within a single cloud environment. Without visibility, it is difficult if not impossible to establish security policies at a granular, micro level. The problem is compounded by the fact that most companies we speak with are hybrid cloud based with workloads migrating among multiple, heterogeneous on-premise and cloud environments.
Where Native Cloud Controls Fall Short
Cloud and IaaS providers frequently offer specific-to-their-individual environment tools for setting security policies around security groups. However, these tools are not adequate for implementing micro-segmentation at scale in today’s dynamic data centers. They don’t solve the visibility problem, leaving it to users to try to identify their assets for grouping purposes. They tend to focus on Layer 4, the transport layer in the OSI model, while the applications that intruders are really after reside in Layer 7, the application layer. Native cloud security controls also lack dynamic policy setting or labeling capabilities, meaning the ability to update or modify security policies as workloads auto-scale upward or downward –one of the key reasons for moving workloads to the cloud.
In a multi-cloud data center, each provider is typically focused on solving problems within its own environment. Policies created using one provider’s tools will not be able to follow workloads as they migrate to different environments, putting the onus on the user to manage multiple policy solutions. Cloud provider tools also lack the flexibility to set policies to meet specific compliance requirements.
Precisely crafted micro-segmentation policies guard applications against unauthorized communication and, in doing so, alert operators to the presence of a potential threat. Most tools offered by cloud providers lack this threat detection aspect.
Understanding that cloud customers are responsible for securing their own assets and for managing the tools used to secure them, they must look beyond the tools offered by cloud providers and take matters into their own hands.
What’s Needed to Do it Right
Enterprise users must clearly understand how far the cloud provider’s security measures go and determine what they need to overlay. This requires visibility into the provider’s security controls and ongoing monitoring of the environment to ensure that the provider is keeping up its end of the bargain.
To implement micro-segmentation effectively in a hybrid infrastructure, security teams need deep visibility into applications and processes, the relationships among them and their orchestration data. This visibility must extend to the Layer 7 process-to-process level in order to discover and identify applications for grouping into micro-segments.
To streamline implementation and ongoing management, security administrators need, a single, platform-agnostic policy creation and control mechanism that works across multiple, converged cloud environments and follows workloads wherever they go. They also need a flexible policy engine that allows continuous updating and refinement of policies, and dynamic labeling as workloads scale up and down automatically.
Users should have the flexibility to set policies correlated to highly specific compliance requirements. They should also have flexibility in deployment to take advantage of native cloud distribution methods. And finally, they should be able to detect threats lurking inside the data center.
The business benefits of the cloud are abundantly clear. But without adequate security, they evaporate. By acquiring the knowledge and the tools to implement micro-segmentation effectively across a hybrid infrastructure, IT security teams can be the heroes who enable businesses to leverage the cloud confidently to advance their strategies and achieve their goals.
Note: This article also appeared in Data Center Knowledge February 12, 2018.