1. No category

Critical Security and Compliance Considerations for Hybrid Cloud

45 1
A DV I S O R S
Critical Security and Compliance
Considerations for Hybrid Cloud
Deployments
J U L 20 1 6
A Report from Custom Research Commissioned by:
© 2 0 1 6 4 5 1 R E S E A R C H , L L C | W W W. 4 5 1 R E S E A R C H . C O M
ABOUT 451 RESEARCH
451 Research is a preeminent information technology research and advisory company. With a
core focus on technology innovation and market disruption, we provide essential insight for
leaders of the digital economy. More than 100 analysts and consultants deliver that insight
via syndicated research, advisory services and live events to over 1,000 client organizations in
North America, Europe and around the world. Founded in 2000 and headquartered in New
York, 451 Research is a division of The 451 Group.
© 2016 451 Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication,
in whole or in part, in any form without prior written permission is forbidden. The terms of use regarding
distribution, both internally and externally, shall be governed by the terms laid out in your Service Agreement
with 451 Research and/or its Affiliates. The information contained herein has been obtained from sources
believed to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Although 451 Research may discuss legal issues related to the information technology business, 451
Research does not provide legal advice or services and their research should not be construed or used as such.
451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or
for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve
its intended results. The opinions expressed herein are subject to change without notice.
N E W YO R K
SAN FRANCISCO
LONDON
BOSTON
20 West 37th Street
3rd Floor
New York, NY 10018
P 212-505-3030
F 212-505-2630
140 Geary Street
9th Floor
San Francisco, CA 94108
P 415-989-1555
F 415-989-1558
37-41 Gower Street
London, UK WC1E 6HH
P +44 (0)20 7299 7765
F +44 (0)20 7299 7799
1 Liberty Square,
5th Floor
Boston, MA 02109
P 617-261-0699
F 617-261-0688
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
II
Overview
The need for greater business agility and overall cost-containment pressures are the twin-turbo drivers behind the growing
adoption of hybrid cloud. But standing in the way of this hybrid cloud migration are very real security and compliance
challenges. Leveraging an extensive study by 451 Research, this report examines the current state of hybrid cloud security
and compliance. It also recommends effective approaches to clearing a path for broader hybrid cloud deployments – and the
business benefits of doing so.
EXECUTIVE SUMMARY
The evolution of cloud infrastructures toward hybrid cloud models is inexorable, driven both by the requirement of greater
IT agility and financial pressures. But a major study by 451 Research reveals that organizations are struggling with the twin
challenges of security and compliance in the hybrid cloud space. Organizations want to be able to replicate existing security,
governance and compliance audit practices in hybrid cloud environments, where at least some of the cloud infrastructure
belongs to third parties. Organizations are struggling with practical considerations in this regard, such as ensuring that
workloads are moved securely from one environment to another, without having the data maliciously or inadvertently exposed.
To date, these challenges and concerns are not necessarily deal breakers, as organizations continue to move, albeit cautiously,
into hybrid cloud environments. But clearly they are doing so with minimal (if any) exposure of truly mission-critical or enterprise
data to the hybrid cloud. If the challenges are not addressed, this apprehension will mean that the most important and valuable
benefits of hybrid cloud deployments may not be realized.
As it turns out, there are a number of steps that most organizations can take to set themselves squarely on a path to a secure
and compliant hybrid cloud world. These include: a team approach to meeting security challenges; developing a strategy that
takes into account the dynamic nature of security threats; and a recognition of the importance of logging to ensure compliance.
INTRODUCTION
Demand for the hybrid cloud model is unequivocal. As cloud computing has evolved in recent years, organizations have come
to realize they need different types of clouds and cloud services to meet different needs. Hence the emergence of hybrid cloud
– essentially an infrastructure with links between at least one private cloud and one public or third-party cloud. Ideally these
links between clouds are ‘seamless,’ although that can be as much a goal as a reality today.
In a recent 451 Research survey of enterprise IT and information security vendors, close to three-quarters of the respondents
have already embarked on a hybrid cloud journey – embracing a mix of private, public and managed clouds. While the reasons
for this profound shift may vary across organizations, our survey indicates that improved IT operational agility for service delivery
requirements and cost efficiencies relative to existing datacenter operations are far and away the most prevalent drivers.
However, as organizations embrace hybrid cloud architectures, security and compliance loom large as critical functional
requirements that are needed to fully realize the benefits of this IT infrastructure model for service delivery. For those organizations
that operate in highly regulated environments or that must contend with a shifting data privacy landscape, security controls for
compliance and risk mitigation are primary hurdles to broader hybrid cloud deployments. These two challenges figure more
prominently than organizational change and cross-functional expertise for effective hybrid implementation.
The point of departure for evaluating hybrid cloud security and compliance is this: Can organizations replicate existing controls
(e.g., data security, firewalls and access controls), monitoring and compliance audit processes in a hybrid cloud architecture? If
not, are there tools from service providers or other third parties or open-source tools that can compensate? For 47% of survey
respondents, the answer here is yes. But the picture becomes more complicated after that. Far fewer respondents – just 9% –
require certification from regulating authorities at one end of the spectrum. Others see the need for improved interoperability
and specific tools designed for hybrid cloud environments, such as protection and monitoring of the underlying virtualization
and containerization layers.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
III
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
For those already in the process of moving to a multi-cloud model, porting of consistent controls, interoperability and
visibility are the hurdles to broader adoption. For compliance purposes, logging and auditing are imperative. Increasingly,
data security and access controls fall into focus as organizations assess how they will need to stay aligned with revised data
residency requirements. This dynamic is reflected in what IT and information security professionals identify as their primary
security challenges for hybrid cloud architectures. They are:
• M
aintaining consistent access security and authorization controls across execution environments through platform,
service provider and existing datacenter tools.
• Securing movement of data and workloads across environments through transport security and network firewalls.
• Securing data residing and processed in third-party environments through encryption and tokenization.
It is critical to note that even as security controls and data protection are major concerns, only in some cases are those
concerns viewed as an absolute roadblock to taking the initial steps toward hybrid cloud implementations. In many instances,
security and compliance are the most visible hurdles to moving from the current state of adoption to the desired state that
fully accommodates business needs. This report provides a definition of the ecosystem and approaches necessary in order
to overcome security and compliances challenges in a hybrid cloud infrastructure.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
IV
Table of Contents
1. THE SHIFT TOWARD HYBRID COMPUTING – BUSINESS DRIVERS
1
Figure 1: Business Drivers for Hybrid Cloud �����������������������������������������������������������������������������������������������������������������������������������������������1
COMPLIANCE AND SECURITY: GATEWAYS TO HYBRID CLOUD MATURITY ���������������������������������������������������������������������2
Figure 2: Top Security Challenges by Vertical Market ���������������������������������������������������������������������������������������������������������������������������3
2. THE STATE OF HYBRID CLOUD SECURITY AND COMPLIANCE 4
Figure 3: Current State of Hybrid Cloud Adoption����������������������������������������������������������������������������������������������������������������������������������4
COMPLIANCE – NECESSARY, BUT NOT NECESSARILY IMPERATIVE �����������������������������������������������������������������������������������5
ADDRESSING SECURITY AND COMPLIANCE CONCERNS: PUTTING TOOLS TO WORK �����������������������������������������������6
3. CRITICAL ELEMENTS OF A COMPREHENSIVE HYBRID CLOUD COMPLIANCE
AND SECURITY APPROACH
7
CURRENT HYBRID CLOUD SECURITY TOOLS: ADEQUATE, BUT NOT GOOD ENOUGH (YET)�������������������������������������7
Figure 4: Top Hybrid Cloud Security Requirements��������������������������������������������������������������������������������������������������������������������������������7
COMPREHENSIVE HYBRID CLOUD SECURITY: MORE OF THE SAME, BUT MORE COMPLEX��������������������������������������8
EXTENDING SECURITY BEST PRACTICES TO HYBRID CLOUD ARCHITECTURES�������������������������������������������������������������8
Figure 5: Hybrid Cloud Security Approaches���������������������������������������������������������������������������������������������������������������������������������������������9
Satisfying Compliance Requirements Through Centralized Management and Policy Automation���������������������������� 11
Risk Mitigation Through Specific Hybrid Cloud Security Products����������������������������������������������������������������������������������������������� 12
4. BALANCING COMPLIANCE REQUIREMENTS AND RISK MITIGATION WITH THE DEMANDS
OF HYBRID CLOUD ADOPTION
14
Figure 6: Migrating Workloads not Covered by Compliance Mandates or Regulatory Requirements ������������������������ 14
INTEROPERABILITY KEY TO HYBRID CLOUD MATURITY ������������������������������������������������������������������������������������������������������ 15
Figure 7: Current Hybrid Cloud Adoption by Organizational Function ������������������������������������������������������������������������������������� 16
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
V
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
5. RECOMMENDATIONS 17
HYBRID CLOUD SECURITY: IT TAKES A VILLAGE����������������������������������������������������������������������������������������������������������������������� 17
SECURITY IS MORE OF THE SAME, BUT RISKS ARE NEW ������������������������������������������������������������������������������������������������������ 17
THE ORGANIZATION THAT INTEGRATES TOGETHER, STAYS TOGETHER������������������������������������������������������������������������� 17
IF YOU CAN’T LOG IT, IT DOESN’T EXIST ������������������������������������������������������������������������������������������������������������������������������������� 17
SHARED RESPONSIBILITY DOES NOT MEAN NO RESPONSIBILITY ����������������������������������������������������������������������������������� 18
6. APPENDIX
19
RESEARCH METHODOLOGY ����������������������������������������������������������������������������������������������������������������������������������������������������������� 19
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
VI
1. The Shift Toward Hybrid Computing –
Business Drivers
The most prevalent and consistent driver for implementing hybrid cloud architectures identified by end users in our survey
and in-depth interviews is ensuring operational agility, with cost reduction a close second (see Figure 1). Of specific note is
that the percentage of respondents who pointed to agility as the primary business driver was even higher for some industry
verticals such as healthcare (80%), telecommunications (72%) and insurance (83%). These industries are dealing with huge
volumes of data spread across massive infrastructures, so leveraging a hybrid cloud strategy makes sense. And each of them
are highly regulated industries, with tough security and risk management mandates.
Figure 1: Business Drivers for Hybrid Cloud
What are the 2 most significant business reasons for evaluating hybrid cloud architectures?
Financial services
Communications, Media & Services
eCommerce
Education
Energy/Utilities
Government
Healthcare
Insurance
Manufacturing
Construction
Legal Services
Retail/Hospitality
Technology
Telecommunications
Transportation
Wholesale Trade
0%
20%
40%
60%
80%
100%
Cost efficiencies relative to existing datacenter operations
Operational flexibility for scaling up/scaling down to
address fluctuating compute and service delivery
Improved IT operational agility for service delivery requirements
Accelerate delivery of applications for the lines of business
Enable improvements in continuous integration and
deployment processes and resource availability
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
1
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
The common theme in this report is that hybrid cloud architectures can enable IT to better
serve business needs through the use of third-party services in tandem with existing IT
investments and environments. Delivering infrastructure – whether it’s hardware, storage
capacity, execution environments or applications – at lower cost without the need to
manage, maintain and, to some extent, even secure the infrastructure remains a significant
consideration, especially for noncompliant workloads. Nonetheless, the dimension where
end users see the most value is in terms of accelerating time to delivery of new services and
applications – in other words, greater IT agility.
Nonetheless, the
dimension where end
users see the most
value is in terms of
accelerating time to
delivery of new services
and applications
With hybrid cloud architectures, time to delivery now is expressed in ways that speak directly to business needs – most
notably, service delivery acceleration. In this sense, hybrid cloud architectures represent an evolution in the adoption of cloud
computing, whether in the form or private clouds to modernize datacenter or public clouds to leverage scale, flexibility and
operational cost savings. In fact, related 451 Research surveys indicate that adoption of hybrid cloud computing is motivated
specifically by the desire to make IT departments more responsive to the needs of the business.
451 Research surveys indicate that adoption of hybrid cloud computing is motivated specifically by the desire to
make IT departments more responsive to the needs of the business.
C O M P L I A N C E A N D S EC U R I T Y: G AT E WAYS TO H Y B R I D C LO U D M AT U R I T Y
Another significant facet of IT operational agility is enabling the integration of business rules that determine which workloads
can run in which environments, while centrally defining a set of policies for workload management. IT decision-makers see
agility as having the necessary components to deliver a service or application with a far higher degree of automation and
flexibility, with cost, compliance and security as the defining dimensions. In addition, these components no longer need to
be running in the same datacenter, or deployed via manual configuration. For example, users have identified the desired
ability to easily respond to increased demand for customer-facing services while maintaining service levels at peak demand
times through automated provisioning of virtual servers, preconfigured application servers, or even application containers
in a dedicated public cloud instance or private cloud.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
2
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Figure 2: Top Security Challenges by Vertical Market
Ensuring compliance with regulatory and policy requirements
Maintaining consistent network security
policies for security domains
Maintaining consistent access security and authorization controls
across environments
-
ers and application resources across execution environments
Central management of automation and controls for administrator
access to management consoles and processes
Securing movement of data and workloads across environments
Securing data residing and processed in a third-party/hosted environment
Containing application instances and resources
within a shared/hosted environment
100%
80%
60%
40%
20%
Wholesale Trade
Transportation
Telecommunications
Technology
Retail/Hospitality
Legal Services
Construction
Manufacturing
Insurance
Healthcare
Government
Energy/Utilities
Education
eCommerce
Communications,
Media & Services
Financial services
0%
“We have some cloud services that we are running ourselves in one of our datacenters. We have some cloud services
where we use external providers. And really, where they are hosted depends on the underlying application or
service.” – CIO, Regional Hospital and Healthcare Network
Equally, the use of hybrid cloud means that organizations are not required to provision dedicated hardware for a given
product or service. Instead, they can provision on an as-needed basis, and simply scale down when demand has tailed off or
a service is phased out. However, to effectively implement a cloud architecture where resources, applications and services
are distributed across a hybrid cloud environment, the ability to meet compliance requirements and mitigate risk through
security controls will define the bounds of adoption.
An important consideration to bear in mind is that even as security and compliance
were identified by IT professionals in a related 451 Research survey as the primary
challenges for adoption of cloud-enabled technologies, those concerns are not an
absolute inhibitor. Cleary, workloads defined as compliant must run in environments
certified as meeting regulations – whether Payment Card Industry (PCI) or data
privacy requirements. However, a handful of the organizations surveyed already
have compliant workloads running in hybrid cloud architectures, and are interested
in finding ways of reducing risk to expand hybrid cloud utilization for even more
services and applications.
... even as security and
compliance were identified by
IT professionals in a related 451
Research survey as the primary
challenges for adoption of
cloud-enabled technologies,
those concerns are not an
absolute inhibitor.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
3
2. The State of Hybrid Cloud Security
and Compliance
Our analysis shows three distinct end-user patterns emerging in terms of cloud security and compliance that can be
understood as the cornerstone of a hybrid cloud adoption maturity model:
• The first set of end users is still evaluating hybrid cloud architectures because vendor and service provider certifications
and controls do not yet satisfy compliance requirements, or because of perceived security risks to data in third-party
environments.
• The second set of end users views vendor and service provider security, controls and logging as mostly adequate for their
current cloud workloads. These users still require additional risk-mitigation measures and more comprehensive logging
and auditing to expand deployment and move beyond tactical use cases (such as scaling for peak demand, noncompliant
workloads or QA testing).
• The third set of end users is moving swiftly toward a hybrid cloud model to support speedier IT service delivery. In order
to transition hybrid cloud architecture to the standard operational model, these users see the need for broader cloud
service provider and vendor interoperability, tighter controls based on dynamic policy enforcement, cloud event and
data interoperability, orchestration and cross-cloud access security.
The distribution of respondents within these three buckets suggests a groundswell of hybrid cloud adoption built on
private cloud deployments and adoption of SaaS applications. In our survey, 42% of respondents have a hybrid
cloud architecture under active evaluation and testing. When we add in those respondents that have a subset of
workloads that currently run exclusively in cloud environments, at 23%, and those that have a subset of workloads
that currently run in hybrid models, at 20%, survey results point to a majority of organizations actively engaged in
initiatives to derive value from hybrid cloud architectures.
Figure 3: Current State of Hybrid Cloud Adoption
What is the current state of hybrid cloud
architecture adoption in your organization?
In preliminary investigation
16%
42%
23%
19%
Under active evaluation and testing
Subset of workloads run exclusively in cloud environments
Subset of workloads currently run in hybrid architecture models
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
4
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Furthermore, in-depth discussions with IT security professionals suggest that organizations with a hybrid cloud focus have
active application development programs. They also have IT operations and information security teams that are engaged in
enabling continuous integration and continuous delivery models, as well as microservices architectures. Still, many are looking
for baseline interoperability, as we discuss later in this report.
In many cases, organizations that are in the early stages of investigating hybrid cloud architectures could be said to be
operating a ‘mixed’ environment in that many currently use SaaS offerings of some variety (be it email, financial planning or
payroll processing). The dividing line between ‘mixed’ environments and hybrid cloud is the use of public cloud services.
Nonetheless, for many organizations, service providers and vendors demonstrating comprehensive security and fully addressing
compliance requirements are necessary precursors to adoption of hybrid cloud architectures. As with the initial opposition to
SaaS offerings that leverage a shared services model, internal opposition to hybrid cloud at many regulated organizations and
risk-averse enterprises is based on concerns about an approach that breaks with existing IT consumption models.
The respondents that populate the first bucket described above are by and large highly regulated enterprises or government
agencies that require external regulatory approvals before moving ahead with hybrid cloud architectures. However, for some
enterprises that deal with a large amount of PCI data, risk mitigation looms large as a hurdle. Assurances from vendors and
service providers may eventually assuage those concerns, but it’s the regulators and government agencies that will ultimately
have to be persuaded. At this stage, it’s still unclear whether data privacy requirements that emerge in the aftermath of the Safe
Harbor repeal will derail the journey to the hybrid cloud, but it seems likely the regulatory environment will shift.
C O M P L I A N C E – N EC E S SA RY, B U T N OT N EC E S SA R I LY I M P E R AT I V E
For organizations already on the journey to the hybrid cloud, satisfying compliance
requirements is generally a necessary precursor to implementation and deployment. For
many, preconfigured compliance templates for cloud instances and virtual machines (and
eventually containers) are important. Still, the ability to mitigate risk, maintain visibility
and enforce consistent controls across environments all figure as prominently as meeting
compliance requirements. In particular there are prominent concerns not only about
mitigating the risk of moving data outside of the corporate datacenter, but also securing data
moving between environments, especially those operated by third parties.
For many, preconfigured
compliance templates
for cloud instances and
virtual machines (and
eventually containers)
are important
Many of the hybrid cloud security challenges identified by our survey correspond with long-standing information security
concerns. The distinction that emerges, however, is that most see hybrid cloud security as a superset of these traditional
concerns. While concerns about data security loom large – as they do in the context of IT infrastructure generally – the
challenges that organizations contend with in hybrid cloud environments relate to applying these existing security principles
to a new architecture. The challenges also revolve around the movement of data in a highly automated and self-provisioning
environment, as well as access to the data in a third-party environment and consistent policy enforcement.
Many of the hybrid cloud security challenges identified by our survey correspond with long-standing information
security concerns. The distinction that emerges, however, is that most see hybrid cloud security as a superset of
these traditional concerns.
These concerns are reflected in our survey results, when senior IT security professionals were asked to identify the most
significant security challenges with hybrid cloud, as illustrated below.
SECURITY CHALLENGES FOR HYBRID CLOUD ARCHITECTURES
PERCENTAGE OF
RESPONDENTS
Maintaining consistent access security and authorization controls across environments
59%
Securing movement of data and workloads across environments
55%
Securing data residing and processed in a third-party or hosted environment
54%
Maintaining consistent network security policies for security domains
49%
Ensuring compliance with regulatory and policy requirements
45%
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
5
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
A D D R E S S I N G S EC U R I T Y A N D C O M P L I A N C E C O N C E R N S : P U T T I N G TO O L S
TO W O R K
By and large, survey respondents are looking to cloud service providers to address these challenges. And they are turning
to existing security vendors to fill the gaps in areas like encryption, access management, key management and network
firewalling through products designed to operate in cloud service provider environments or private cloud environments
such as OpenStack or Cloud Foundry. Only 8% of respondents indicated that they are not currently making use of cloud
service provider security and compliance tools. By contrast, 90% of respondents indicated that they are actively
using cloud service provider tools for security and compliance.
As one IT professional at a global industrial enterprise pointed out:
“None of this stuff is rocket science – it is easy, just follow the rules and process.”
WHICH HYBRID CLOUD SECURITY TOOLS ARE CURRENTLY IN USE?
PERCENTAGE OF
RESPONDENTS
Network security, including firewalls and TLS (transport layer security)
75%
Data security, including at-rest encryption and cloud HSMs (hardware security modules)
67%
Logging, monitoring and auditing of administrative actions (including configuration changes)
64%
Access management, including IAM, admin access controls and authentication
58%
Implementation of compliance templates
44%
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
6
3. Critical Elements of a Comprehensive Hybrid
Cloud Compliance and Security Approach
C U R R E N T H Y B R I D C LO U D S EC U R I T Y TO O L S : A D EQ UAT E , B U T N OT G O O D
ENOUGH (YET)
The point of departure for evaluating hybrid cloud security is essentially this: Can an organization replicate existing controls,
monitoring and compliance audit processes in a hybrid cloud architecture? If not, are there service-provider or third-party
tools that can compensate?
Having established that 90% of survey respondents are making use of cloud service providers’ tools and having identified
the ones most widely in use, the obvious follow-up question is: What is the current level of satisfaction with those tools,
and do the tools adequately address their security and compliance needs? The answer is revealing: 47% of those using
service-provider tools indicate that they comprehensively address security and compliance needs. However, 36% of
respondents said the tools only partially address their requirements but are sufficient for their subset of workloads.
The market is responding to this demand, with third-party vendors working with systems vendors and cloud service
providers to develop a security ecosystem for the hybrid cloud world. These vendors and their partners would do well to
listen to the concerns expressed by end users in this study.
Figure 4: Top Hybrid Cloud Security Requirements
What are the top two requirements you use when evaluating hybrid cloud security capabilities?
Financial services
Communications, Media & Services
eCommerce
Education
Energy/Utilities
Government
Healthcare
Insurance
Manufacturing
Construction
Legal Services
Retail/Hospitality
Technology
Telecommunications
Transportation
Wholesale Trade
0%
20%
40%
60%
80%
100%
Ability to define and enforce compliance templates
Ability to monitor changes to templates and
configuration files and generate alerts
Ease of integration with existing security policies and controls
(such as firewall rules, IAM, data security policies)
Ability to isolate security domains in a third-party environment
Ability to provide a consolidated view of activity across environments
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
7
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
C O M P R E H E N S I V E H Y B R I D C LO U D S EC U R I T Y: M O R E O F T H E SA M E , B U T
MORE COMPLEX
The hybrid cloud security picture becomes more complicated once we move beyond baseline security and compliance
tools. Having established that baseline controls can be implemented, and that data can be adequately secured in a thirdparty environment or private cloud, here are the next questions that organizations ask themselves:
• Can I adequately log and monitor activity across my hybrid cloud architecture? If not, can I move compliant workloads
outside of my four walls?
• How do I ensure that workloads are moved securely from one environment to another, without having the data maliciously
or inadvertently exposed?
For those organizations further down the hybrid cloud journey that are
focused on improving their maturity, risk mitigation requires better control
of who has access to the underlying infrastructure and a consolidated
view of activity in the various environments.
... risk mitigation requires better control
of who has access to the underlying
infrastructure and a consolidated view
of activity in the various environments.
These concerns encompass the desire to extend existing security best practices and processes across a hybrid infrastructure
where the organization does not directly own or manage the execution environment.
The current set of critical security requirements can be grouped into three distinct categories:
• Extending security best practices to hybrid cloud architectures
• Satisfying compliance requirements through centralized management and policy automation
• Risk mitigation through specific hybrid cloud security products (workload segmentation or micro-segmentation,
consolidated visibility, administrative controls, etc.)
E X T E N D I N G S EC U R I T Y B E ST P R A C T I C E S TO H Y B R I D C LO U D A R C H I T EC T U R E S
As you will note in the following tables, we see a remarkable degree of consistency among survey respondents in terms
of what are either critical requirements or very important components for ensuring hybrid cloud security and compliance.
Almost all respondents recognize that since hybrid cloud architectures by their nature involve the movement of data from
one environment to another, securing data in transit as well at rest is critical. Likewise, they view the ability to replicate
existing network security rules as practically a prerequisite. The same holds true for access management policies.
As we move the scope beyond those foundational requirements, we encounter more diversity in what is deemed critical.
Again, we believe this reflects the fact that respondents occupy a range of points on the hybrid cloud maturity model. One
growing approach to managing this complexity is called micro-segmentation, which is a method of creating a series of zones
by leveraging the underlying virtualization tier, and applying a specific set of policies to the zone based on the attributes of
the workloads.
We have seen both in this survey and in discussions with IT executives that micro-segmentation is increasingly
viewed as a standard building block for hybrid cloud architectures.
And as enterprises look to architect for a hybrid-cloud-first model, managing and controlling administrative access to the
hypervisor tier and to emerging IT automation tools is quickly becoming a risk concern. The outcome of moving further
along the hybrid cloud adoption curve is that logging and auditing (and by extension, consolidated visibility) are not only
compliance concerns – they become critical to risk mitigation. The survey data and ongoing 451 Research discussions bear
this observation out: the current set of service-provider tools is sufficient to make the initial move to hybrid cloud for many,
and third-party tools exist for those enterprises with an interest in going deeper. The next hurdle is ensuring comprehensive
risk mitigation that enterprises can implement and maintain with relatively low overhead, and which is more tightly
integrated with hybrid cloud environments.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
8
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Figure 5: Hybrid Cloud Security Approaches
Extending Security Best Practices to Hybrid Cloud Architectures
Data Security - Data in Motion, Data at Rest
Network security
Integration of existing identity and access management authoritative sources
Logging, Auditing and Reporting
0%
20%
40%
60%
80%
100%
Satisfying Compliance Requirements through Centralized Management and Policy Automation
Enforcement of compliance and regulatory
requirements for VMs, workloads
0%
20%
40%
60%
80%
100%
60%
80%
100%
Risk Mitigation Through Specific Hybrid Cloud Security Products
Enforcement of controls for administrative access at the hypervisor tier
Enforcement of role-based access for segmented networks and security domains
Centralized definition and enforcement of workload segmentation
Consolidated Discovery and Visibility Across Hybrid Environments
0%
5 - Critical requirement
20%
4 - Very important
2 - Somewhat important
40%
3 - Important
1 - Not at all important
Data Protection: The protection of data is a core element of information security. This requirement looms even larger when
the architecture incorporates third-party elements where the enterprise does not fully control the underlying architecture.
The issue of management and access to encryption keys has gained increased visibility as a concern.
DATA PROTECTION – SECURING DATA IN MOTION AND DATA AT REST. USERS
SHOULD BE ABLE TO IMPLEMENT ENCRYPTION OF THEIR DATA AT REST AND IN
MOTION BETWEEN ENVIRONMENTS AND SUBNETS WITHIN A HOSTED CLOUD
ENVIRONMENT. IDEALLY, WORKLOADS SHOULD REMAIN ENCRYPTED IF THEY MOVE
FROM ONE SECURITY DOMAIN TO ANOTHER.
PERCENTAGE OF
RESPONDENTS
Critical Requirement
53%
Very Important
32%
Important
11%
Somewhat Important
3%
REPRESENTATIVE
VENDORS
• Vormetric (Thales
E-Security)
• Gemalto SafeNet
• Sophos
• Trend Micro
• HPE Security – Data
Security
• Bracket Computing
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
9
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Infrastructure and Network Protection: Firewall rules and transport security may not be ‘cutting edge,’ but these are
critical foundational requirements for both security and compliance, especially as workloads traverse environments or are
instantiated in third-party environments. Replicating firewall rules and ACLs will ensure that security controls are consistent
across environments.
INFRASTRUCTURE & NETWORK PROTECTION – FIREWALL RULES AND POLICIES
FOR CLOUD INSTANCES, WORKLOADS AND CUSTOM APPLICATIONS SHOULD BE
INSTANTIATED AUTOMATICALLY AS THEY SPIN UP IN A VIRTUALIZED ENVIRONMENT,
AND SHOULD BE TIED TO WORKLOAD ATTRIBUTES AND DATA CHARACTERISTICS.
IN ADDITION, FIREWALL POLICIES AND RULES SHOULD BE CENTRALLY MANAGED.
SECURE CONNECTIONS AND TUNNELING SHOULD ALSO BE SUPPORTED.
PERCENTAGE OF
RESPONDENTS
REPRESENTATIVE
VENDORS
• Tufin
Critical Requirement
39%
• AlgoSec
• Check Point
• Barracuda
Very Important
43%
• RedSeal
• Cisco
• CloudPassage
Important
14%
Somewhat Important
4%
• Dome9
• HPE Trend Micro
TippingPoint
• Palo Alto Networks
• HPE Aruba
• Cumulo Networks
Identity and Access Management: Organizations invest heavily to ensure that appropriate access controls and authorization
policies are in place for sensitive systems. The same holds for resources and applications in hybrid cloud architectures – and
the value is undermined if new rules must be created or maintaining consistency in access control is overly complex.
INTEGRATION OF EXISTING IDENTITY & ACCESS MANAGEMENT
AUTHORITATIVE SOURCES – ACCESS CONTROLS FOR WORKLOADS RUNNING IN
HYBRID CLOUD DEPLOYMENTS SHOULD RELY ON A SHARED AUTHORITATIVE SOURCE
FOR IDENTITY PROFILES, POLICY OBJECTS AND AUTHORIZATION RULES. RATHER
THAN HAVE TO CREATE AN IDENTITY SILO FOR EACH ELEMENT OF THE HYBRID
CLOUD IMPLEMENTATION, ACCESS POLICIES AND ADMIN PRIVILEGES SHOULD BE
BASED ON A COMMON OR CONSOLIDATED AUTHORITATIVE STORE.
PERCENTAGE OF
RESPONDENTS
Critical Requirement
33%
Very Important
37%
Important
24%
REPRESENTATIVE
VENDORS
• OpenStack KeyStone
(Open Source)
• AuthO
• Okta
• OneLogin
• Ping Identity
• Microsoft Azure AD
Somewhat Important
4%
• HPE Software
• CA Secure Cloud
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
10
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Logging, Auditing and Reporting: Compliance mandates and regulatory requirements uniformly require attestation of
controls, and many specifically include logging rules. We are seeing an increased focus on logging, auditing and reporting as
tools for risk mitigation, and identifying suspicious or anomalous activity.
LOGGING, AUDITING & REPORTING – FROM AN OPERATIONAL PERSPECTIVE,
LOGGING PROCESSES SHOULD FOLLOW THE WORKLOAD, AND BE IMPLEMENTED
CONSISTENTLY ACROSS HYBRID ENVIRONMENTS. LOGGING OF EVENTS GENERATED
BY CLOUD WORKLOADS SHOULD BE EASILY CONSUMED BY CENTRALIZED SYSTEMS,
AND BE USED AS INPUT FOR BOTH FORENSIC ANALYSIS AND PERFORMANCE. ALSO,
FOR COMPLIANCE PURPOSES, REPORTING AND AUDITING OF ALL ACTIVITY SHOULD
BE CAPTURED IN A DASHBOARD DESIGNED TO AUTOMATE THE AUDIT PROCESS.
Critical Requirement
PERCENTAGE OF
RESPONDENTS
23%
REPRESENTATIVE
VENDORS
• Spunk
• Sumo Logic
• Loggly
Very Important
45%
• LogEntries (Rapid7)
• AlertLogic
• AWS CloudTrail
Important
26%
• FluentD (Open Source)
• HPE Software
Somewhat Important
4%
• HPE ArcSight
• AlienVault
S AT I S F Y I N G C O M P L I A N C E R E Q U I R E M E N T S T H R O U G H C E N T R A L I Z E D M A N A G E M E N T
A N D P O L I C Y A U T O M AT I O N
Enforcement of Virtual Machine Configuration and Settings: Particularly as issues such as the demise of Safe Harbor
come into focus, it is critical to have the ability to ensure that virtual machines and associated workloads are managed based
on a predefined set of rules that ensure they cannot move out of a particular IP range, geography or subnet dedicated to
compliance workloads.
ENFORCEMENT OF COMPLIANCE & REGULATORY REQUIREMENTS FOR
VMS, WORKLOADS – AS WORKLOADS MOVE ACROSS AND BETWEEN EXECUTION
ENVIRONMENTS AND ARE PROVISIONED, THEY SHOULD BE ASSOCIATED AT
INSTANTIATION WITH A SET OF POLICIES (SUCH AS GEOGRAPHIC LOCATION, ACCESS
POLICIES, SERVICE CONNECTIVITY AND CONFIGURATION FILES).
PERCENTAGE OF
RESPONDENTS
Critical Requirement
27%
Very Important
42%
Important
27%
REPRESENTATIVE
VENDORS
• Catbird
• Illumio
• HyTrust
• CloudPassage
• OpenStack (Open
Source)
• AlertLogic
• vArmour
Somewhat Important
3%
• Bracket Computing
• HPE Software
• Cloud Raxak
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
11
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
R I S K M I T I G AT I O N T H R O U G H S P E C I F I C H Y B R I D C L O U D S E C U R I T Y P R O D U C T S
Hypervisor Administrative Access Controls: As virtualization becomes more of a central element in datacenter
architectures, ensuring not only that there are a set of tools in place to constrain how the hypervisor admin account can be
accessed, but also that role-based policies are enforced to limit abuse or exploitation, comes into focus as a risk-mitigation
measure.
ENFORCEMENT OF CONTROLS FOR ADMINISTRATIVE ACCESS AT THE
HYPERVISOR TIER – THE VIRTUALIZATION HYPERVISOR IS A CRITICAL COMPONENT
OF HYBRID CLOUD IMPLEMENTATIONS. IN ORDER TO EFFECTIVELY LIMIT THE
POTENTIAL FOR INSIDER ABUSE AND THWART EXTERNAL ATTACKERS ABUSING
ADMINISTRATOR CREDENTIALS TO GAIN ACCESS TO SENSITIVE DATA, ACCESS TO
THE HYPERVISOR MUST BE TIGHTLY CONTROLLED. IN ADDITION TO ENFORCING
ACCESS CONTROLS, ADMINISTRATORS MUST BE CONSTRAINED BY THEIR ROLE TO A
SPECIFIC SET OF EXECUTABLES, WITH VIOLATIONS FLAGGED AND AUDITED.
PERCENTAGE OF
RESPONDENTS
Critical Requirement
27%
Very Important
42%
Important
27%
Somewhat Important
3%
REPRESENTATIVE
VENDORS
• HyTrust
• OpenStack
• Catbird
• Conjur
• Xceedium (CA)
Enforcement of Role-Based Access for Segmented Network Administration: Many enterprises have implemented
methods of insulating their cloud environments from potential access by service provider administrators. Still, there is the
challenge of managing access by their own administrators to these new environments in a consolidated manner.
ENFORCEMENT OF ROLE-BASED ACCESS FOR SEGMENTED NETWORKS &
SECURITY DOMAINS – MOST ENTERPRISES ARE CHALLENGED WITH EFFECTIVE
CONTAINMENT OF ADMINISTRATIVE ACCESS WITHIN ON-PREMISES ENVIRONMENTS.
THE CHALLENGE IS COMPOUNDED WHEN ADMINISTRATIVE ACCESS PRIVILEGES
ARE EXTENDED TO CLOUD ENVIRONMENTS – AND THE RISK OF ACCESS BY CLOUD
PROVIDER ADMINISTRATORS, UNINTENTIONALLY OR OTHERWISE, ALSO COMES
INTO SCOPE. ADMINISTRATOR ACCESS AND PRIVILEGES SHOULD BE CONSISTENTLY
DEFINED BY ROLE AND BY SECURITY DOMAIN, AND UNIFORMLY ENFORCED.
PERCENTAGE OF
RESPONDENTS
REPRESENTATIVE
VENDORS
• Catbird
Critical Requirement
25%
Very Important
41%
Important
27%
Somewhat Important
6%
• Xceedium (CA
Technologies)
• HyTrust
• OpenStack (Open
Source)
• Conjur
• Hashicorp Vault (Open
Source
• Microsoft Azure
• HPE Cloud Service
Automation
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
12
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Centralized Definition and Enforcement of Workload Segmentation: In order to effectively scale in hybrid cloud
architectures, satisfy business needs for IT agility, and ensure that consistent security and compliance rules are enforced,
enterprises need to maintain a centralized management tool for workload definition and segmentation. In addition to
meeting operational needs, the segmentation should also allow for policy settings to be maintained independently of the
execution environment.
CENTRALIZED DEFINITION & ENFORCEMENT OF WORKLOAD SEGMENTATION
– HYBRID CLOUD ARCHITECTURES BY DEFINITION INVOLVE THE USE OF MULTIPLE
EXECUTION ENVIRONMENTS. IN ORDER FOR ENFORCEMENT OF CENTRALLY DEFINED
SECURITY POLICIES AND COMPLIANCE MANDATES TO REMAIN CONSISTENT, THE
SAME SET OF RULES AND CONTROLS SHOULD APPLY REGARDLESS OF EXECUTION
ENVIRONMENT. SEGMENTATION OF WORKLOADS ACCORDING TO COMPLIANCE
MANDATES (HIPAA, PCI OR DATA RESIDENCY REQUIREMENTS) AND SECURITY
POLICIES IS A KEY COMPONENT OF ALIGNING AUTOMATION OF HYBRID CLOUD
ENVIRONMENTS WITH SECURITY NEEDS. IDEALLY, WORKLOADS SHOULD REMAIN
ENCRYPTED IF THEY MOVE FROM ONE SECURITY DOMAIN TO ANOTHER. AND THERE
SHOULD BE SOME PROTECTION OF CONFIGURATION FILES AND SETTINGS.
PERCENTAGE OF
RESPONDENTS
Critical Requirement
52%
Very Important
20%
Important
28%
Somewhat Important
6%
REPRESENTATIVE
VENDORS
• Catbird
• Ilumio
• vArmour
• CloudPassage
• vArmour
• evident.io (AWS)
• RightScale
• Bracket Computing
Consolidated Discovery and Visibility: In a multi-cloud model, where each element is purposefully designed for automated
provisioning, an obvious operational concern and governance risk is that resources and workloads can proliferate. The
security concern is that some enterprise assets may be outside of existing monitoring programs or even policies.
CONSOLIDATED DISCOVERY & VISIBILITY ACROSS HYBRID ENVIRONMENTS
– IN MUCH THE SAME WAY THAT INITIAL ADOPTION OF VIRTUALIZED DATACENTERS
LED TO VIRTUAL SPRAWL, ONE OF THE GOVERNANCE CHALLENGES POSED BY
HYBRID CLOUD ENVIRONMENTS IS THE RISK THAT WORKLOADS, VIRTUAL MACHINE
IMAGE CONFIGURATIONS AND ASSOCIATED RESOURCES ARE NOT VISIBLE TO A
CENTRALIZED MANAGEMENT FRAMEWORK. DISCOVERY AND MONITORING OF
RESOURCES ACROSS THE HYBRID DEPLOYMENT ARE CRITICAL TO GOVERNANCE –
SINCE ADMINISTRATORS CANNOT CONTROL WHAT THEY CANNOT SEE.
PERCENTAGE OF
RESPONDENTS
Critical Requirement
22%
Very Important
43%
Important
28%
Somewhat Important
6%
REPRESENTATIVE
VENDORS
• Catbird
• Illumio
• vArmour
All of the concerns examined above encompass the desire to extend existing security best practices and processes across a
hybrid infrastructure where the organization does not directly own or manage the execution environment.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
13
4. Balancing Compliance Requirements and Risk
Mitigation with the Demands of Hybrid Cloud Adoption
“The security model doesn’t change just because you’re going on cloud. But unless you have interoperability, you are
better off keeping everything in a private cloud deployment.” – IT Executive, Global Financial Services Enterprise
As we’ve noted throughout this report, the current spectrum of hybrid cloud adoption maturity ranges from ‘in a holding pattern
until approved by government regulators’ to ‘need for interoperability to better orchestrate and secure a multi-cloud model.‘
A full two-thirds of survey respondents feel the full spectrum of their
organizations’ security and compliance requirements are more complex
than what is offered by the current tools from cloud service providers.
Although this might seem to run contrary to the response from the nearly
half of participants who indicated the tools available from service providers
meet the requirements for current workloads, this question was aimed at
understanding the extent to which organizations might be comfortable
moving all of their workloads into a hybrid architecture.
A full two-thirds of survey respondents
feel the full spectrum of their
organizations’ security and compliance
requirements are more complex than
what is offered by the current tools from
cloud service providers.
In this context, only one-third of respondents feel that third-party tools are completely adequate for their organizational security
and compliance requirements. The implication here is that across the hybrid cloud adoption maturity model – and even for
those with a strategic thrust toward hybrid cloud adoption – there is still plenty of room for improvement in terms of vendor
and provider security and compliance.
However, the overwhelming response to the question by those who see their requirements as more complex is that they still
anticipate migrating workloads that are not covered by compliance mandates or regulatory requirements into hybrid cloud
architectures. The overall positive response to the question was 88%, with respondents from verticals such as technology (at
95%) and retail/hospitality at 92%. (see Figure 6).What’s more, across the board we see a trend toward getting more production
workloads into hybrid cloud environments.
Figure 6: Migrating Workloads not Covered by Compliance Mandates or Regulatory Requirements
Do you still anticipate migrating workloads that are not covered by compliance mandates
or regulatory requirements to the cloud service provider’s environment?
Financial Services
Communications, Media & Services
eCommerce
Education
Energy/Utilities
Government
Healthcare
Insurance
Manufacturing
Retail/Hospitality
Technology
Telecommunications
Transportation
Wholesale Trade
Construction
Legal Services
87%
8%
5%
100%
100%
100%
100%
70%
20%
89%
100%
71%
21%
92%
95%
88%
100%
100%
10%
9%
3%
7%
8%
5%
13%
0%
0%
Yes
No
Don’t know
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
14
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
It’s important to note that compliance requirements are generally imposed on organizations, while risk is more of a subjective
metric that takes into account multiple aspects, such as the sensitivity and value of the data, the likelihood of a successful
attack, and the appetite for additional security controls. However, security controls are integral to addressing compliance
requirements. And as the responses above indicate, security and compliance are not always absolute inhibitors to adoption,
but they certainly represent obstacles to further adoption.
In both instances, control and visibility are crucial, especially as automation and integration across multiple clouds come
into focus. Without the existence of controls to address both compliance requirements and security measures – whether in
the form of workload or micro-segmentation, access controls, administrative segregation of duties, change monitoring of
configuration files, etc. – organizations cannot maintain visibility into their environments.
There exists a subset of end users, especially in the government sector, who will need very specific guidance from regulators
to enable them to move to a hybrid cloud model. But for those organizations that have already moved and have already
looked at hybrid cloud more strategically, interoperability comes up time and again as an issue. Equally, the ability to
centrally define policies and configurations such as where a workload can run and how data is secured – with those policies
and configuration files easily consumed by control points and provisioning systems in the target cloud environment – is
critical to advancing hybrid cloud maturity.
I N T E R O P E R A B I L I T Y K E Y TO H Y B R I D C LO U D M AT U R I T Y
While many organizations are comfortable with moving non-compliant or non-business-critical workloads into a hybrid
cloud architecture, they are not satisfied with the extensibility of the current set of service provider tools. Some 69% of
respondents indicated that they have concerns about the extensibility of cloud service provider security tools, and
of those respondents, 74% reported that they perceive the lack of extensible security and governance tools to be a
hurdle to broader adoption.
Extensibility and interoperability go hand in hand, since in theory they would rely on a common set of conventions for
integrations and event descriptions.
“I think the key element for hybrid cloud technology and service providers is that they need to understand two
things. One is interoperability between vendors. Second is ability to seamlessly integrate with the existing
systems using a non-proprietary solution. So it may not always be that operationally efficient, but
at least you have a starting point.”
– IT Executive, Global Manufacturing Company
Interoperability is key to expanding adoption for a number of reasons. First, organizations want to have a choice in private and
public cloud providers. And they want to be able to maintain a consistent set of security settings and policies when moving
workloads dynamically between public and private cloud environments. For those moving to a more highly automated
model (because of trends like microservices architectures or DevOps), there is a need to define compliance templates and
‘golden images‘ of configuration files that will be consistently deployed and provisioned across execution environments.
But from a risk management and mitigation perspective, our in-depth discussions with IT and information security
professionals indicate a strong desire for consolidated visibility. For information security professionals, visibility is key to
monitoring activity and ultimately identifying anomalous behavior, which assumes even more importance when both the
environments and identities (user, administrator, service or virtual machine) proliferate in hybrid cloud architectures. In
addition, demonstrating adequate controls and maintaining logs to satisfy compliance requirements is labor-intensive in
the absence of a consolidated repository and aggregated event feed. At a minimum, information security professionals
are looking for an event feed from hybrid cloud environments to a central repository, progressing to full-event details and
metadata fed into a central repository, and eventually real-time feeds into an event management system.
Similarly, for IT operations, visibility is key to identifying service delivery issues. Without some starting point, troubleshooting
and performance management across events can be a laborious, time-consuming and circuitous process. As with the
initial stages of SaaS adoption, IT operations professionals are concerned that without broad visibility across event types,
identifying a root cause can devolve into a blame game.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
15
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
Likewise, interoperability is critical to the utility of tools employed to enforce workload and micro-segmentation, for both
compliance and security reasons. Particularly in light of impending changes to EU data privacy regulations with the demise
of Safe Harbor, the concern for many IT professionals is that network configurations and policy rules will not be easily ported
from one environment to another. This can potentially undermine the value proposition that hybrid cloud architecture
promises for service delivery acceleration. The Safe Harbor Privacy provision allowed for US companies to store and process
data covered by EU data protection and privacy regulations, if they adhered to a set of seven principles in their operations.
On account of concerns that US-domiciled companies would be subject to federal surveillance efforts or blind subpoenas,
the EU’s highest court has invalidated the Safe Harbor framework – and in doing so, generated uncertainty whether US cloud
providers can store or process data from EU citizens or companies.
Finally, interoperability facilitates an API-centric approach to integration across environments – whether for identity
assertions or for event data. The enthusiasm for an integration tier with standard APIs is probably only matched by the
enthusiasm for a real-time event feed from hybrid cloud architectures.
Figure 7: Current Hybrid Cloud Adoption by Organizational Function
What is the current state of hybrid cloud architecture adoption in your organization?
A cross-functional team with members from different parts of the
IT (software delivery, information security, risk and compliance,
network security, data management) organization
A distinct team or group tasked with hybrid cloud security
Part of the information security function
Part of the IT operations function
Part of the networks function
Part of our business operations (outside of IT)
Group or team
0%
In preliminary investigation
10%
20%
30%
40%
50%
60%
Under active evaluation and testing
Subset of workloads run exclusively in cloud environments
Subset of workloads currently run in hybrid architecture models
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
16
5. Recommendations
H Y B R I D C LO U D S EC U R I T Y: I T TA K E S A V I L L A G E
The consistent characteristic we have identified among organizations that are
further along the hybrid cloud architecture maturity model (based on a specific
set of business requirements) is that they have assembled a cross-functional team
to define, enforce and monitor the security posture of hybrid cloud environments.
This cross-functional team generally includes members from different parts of the
IT organization, such as software delivery, information security, risk and compliance,
network security and data management. Information security will also generally lead
the team. This type of team is critical because hybrid cloud architectures by necessity
break down operational silos, and any decisions on acceptable security risks or
satisfying compliance mandates should be made in the context of the business need
and the operational impact.
This cross-functional team
generally includes members
from different parts of the IT
organization, such as software
delivery, information security,
risk and compliance, network
security and data management.
Information security will also
generally lead the team.
S EC U R I T Y I S M O R E O F T H E SA M E , B U T R I S KS A R E N E W
The need to maintain control, protect information and ensure visibility to identify threats or security incidents remains the same.
And, for many organizations, securing data in a third-party environment is a well-understood challenge. The challenge becomes
extending controls across multiple environments in a consistent fashion. In addition, there is a need to manage administrative
identities, and to ensure that third-party administrators have the appropriate level of privileges (and that these are enforced).
Ideally, customers would be able to monitor and flag changes to configuration files as well as modifications to firewall or DNS
settings that could point to the staging of an attack. This is where workload and micro-segmentation comes into play. For those
ahead of the adoption curve, workload segmentation (and hypervisor administrative access controls) are foundational security
elements, as is federated identity across multiple cloud environments. The challenge is to push your cloud vendors to make the
consumption of enterprise security and compliance policies seamless for their environment, and enable micro-segmentation.
T H E O R G A N I Z AT I O N T H AT I N T EG R AT E S TO G E T H E R, STAYS TO G E T H E R
In our research, the preference from information security and IT operations professionals
was overwhelming for an API-driven approach or an overlay that securely exposes onpremises resources through an integration tier. Part of the interest in an integration tier is
that, as one IT executive at a global manufacturing company pointed out, “It gets everyone
on the same page.” The integration tier serves to compel different IT and information
security constituencies to agree on common conventions, as well as data formats and
descriptions. For at least a quarter of survey respondents, ease of federation of access
and authentication tokens (for machines and services, as well as human identities) was a
critical requirement.
The integration tier serves
to compel different IT
and information security
constituencies to agree on
common conventions, as
well as data formats and
descriptions
I F YO U C A N ’ T LO G I T, I T D O E S N ’ T E X I ST
This maxim holds true for security events, compliance logs and system events. Without consolidated visibility across the hybrid
cloud environment through aggregated event feeds, information security will inevitably have to contend with blind spots. And
if controls are put in place for compliance mandates such as access control or monitoring, attestation is a challenging process.
The implication here is that controls should first be in place in order to generate events and logs. As we have noted elsewhere
in this report, the same controls that are in place should be duplicated in a hybrid cloud architecture. However, because of the
need to maintain segmented networks and ensure that only servers with the appropriate configuration files and associated
policies are spun up in hybrid cloud architectures, additional layers of controls are needed at the hypervisor tier.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
17
C R I T I C A L S E C U R I T Y A N D C O M P L I A N C E C O N S I D E R AT I O N S F O R H Y B R I D C L O U D D E P L O Y M E N T S
S H A R E D R E S P O N S I B I L I T Y D O E S N OT M E A N N O R E S P O N S I B I L I T Y
A critical first step in migrating to a hybrid cloud architecture is conducting a risk assessment. Ideally, the next step is to
perform a security assessment to determine which workloads are appropriate for a hybrid cloud environment. The shared
responsibility model that is implicit in cloud computing becomes a more significant consideration the further down the
hybrid cloud path that organizations progress. The challenge is to define risk in the context of the shared responsibility – not
just between providers, but also internal IT constituencies, so as to establish risk and assign accountability.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
18
6. Appendix
R E S E A R C H M E T H O D O LO GY
To produce this report, 451 Research followed a three-phase process.
Phase 1 – 451 Research audited existing proprietary and syndicated research for insights into hybrid cloud security practices.
This audit, along with input from our analysts, created the basis for our field research in Phases 2 and 3.
Phase 2 – A Web-based survey of 250 North American IT executives with purchase authority or purchase influence for
cloud security technologies in enterprise (>5,000 employees) businesses. Respondents were sourced from 451 Research’s
commentator network of 25,000 IT executives worldwide and other lists.
Phase 2 provided the quantitative data cited in this report.
Phase 3 – In-depth interviews with 15 North American IT executives. 451 analysts then conducted 15 hour-long interviews
with the target audience, in order to validate some of the data collected in Phase 2, and to provide context to the findings
and analysis. Phase 3 yielded the in-depth insights, recommendations and verbatim quotes for this report.
Fielding of Phases 2 and 3 took place during the months of October and November, 2015. All responses were anonymized,
and 20 different vertical markets were represented.
© C O PY R I G H T 2 0 1 6 4 5 1 R E S E A R C H . A L L R I G H T S R E S E RV E D.
19

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz