Have you ever driven on a high road or mountain pass that’s shrouded by low cloud? You’re at the familiar controls of your vehicle, but you can’t easily see road-signs, oncoming vehicles, which way the road goes, or other dangers. Progress can be hazardous unless you take extra precautions. The feeling will be familiar to many organizations’ IT teams as they transition some of their business applications and data to the cloud.
The majority of organizations don’t have a large, centralized cloud deployment that has completely replaced their physical networks simply because this type of wholesale migration is costly and involves a great deal of planning, resources and risk. Instead, most enterprises have a hybrid model that includes a mix of physical data centers and private or public clouds. A recent forecast from 451 Research predicted that 60% of enterprise workloads will run in the cloud by mid-2018, up from 41% today. Securing these hybrid environments is much more complex, demanding a change in mindset and approach. IT teams usually have good visibility into and control over their on-premise networks. But when it comes to cloud environments, it’s not as easy to see and react to emerging hazards – just like driving over that high mountain road.
Clouds move closer
These security challenges are made more complex as public and private cloud services evolve. Ever-growing numbers of enterprise devices and services are connecting to and relying on the cloud, increasing the pressure on cloud architectures. At the same time, organizations in sectors, such as healthcare, insurance, retail and entertainment, are under pressure to deliver differentiated services across geographies and regions according to local preferences or legislation. Collecting and analysing real-time information provides the ability to quickly adjust to trends and customer demands but information can quickly become stale if not acted upon appropriately. Thus, bringing the processing power of the cloud closer to that “big data” allows organizations to rapidly personalize their offerings and maintain a competitive edge.
This trend demands a more advanced, decentralized and distributed hybrid cloud model, reflecting the right mix of private and public clouds that work as an extension of existing corporate systems and processes. The end result can deliver a more efficient and agile compute model, sometimes called ‘fog computing’ since it reduces the amount of data that needs to go to the cloud for processing. But whatever name the model is given, the problem remains how IT teams get complete visibility and control over it to ensure consistent protection and enforcement of policies across all their assets and data, both on-premise and in the cloud.
Meeting the security challenges
Perhaps the biggest issue that IT teams face is that using hybrid clouds can put data and business applications beyond their traditional IT security controls, which don’t typically touch the cloud – especially public cloud environments. At the same time, the number of cyber threats and breaches are increasing. Once an environment is breached, attacks are able to spread laterally within the cloud infrastructure and even extend externally outwards from the cloud to on-premise networks. A 2016 Ponemon Institute study of cloud malware and data breaches of nearly 650 IT pros found that 31% of firms had a cloud breach and 25% did not know how the breach occurred.
It all adds up to an enlarged, complex and blurred attack surface for organizations, so they need a comprehensive solution to bridge security gaps and extend protections, visibility and control from data centers to the cloud in a way that works with the cloud’s elasticity and automation.
The solution needs to protect the north-south traffic entering and leaving the data center to and from cloud estates giving perimeter gateway protections. It also needs to give robust security to mitigate east-west traffic threats within cloud environments deployable as a security VM within the environment to inspect, make visible and protect traffic and assets within the cloud.
East-west protection should be enforced by micro-segmentation which groups resources within the cloud environment and divides them into small, protected segments with logical boundaries. This increases the ability to discover and contain intrusions with communication between groups and segments controlled by specific dynamic security policies.
Traffic within the data center can then be directed to virtual security gateways for deeper inspection with advanced threat prevention techniques (such as firewalling, IPS, antivirus, anti-bot and sandboxing) to stop attackers and threats attempting to move laterally from one segment or application to another.
Management matters
The solution should also integrate agnostically with the cloud service’s management and orchestration tools to enable the right security policies to be enforced for applications and automate security management processes so that they don’t become a brake on agility in the cloud environment. These features delivered via an integrated, virtualized security platform, allow advanced security and threat prevention services to be dynamically deployed wherever they are needed in the hybrid environment – from the on-prem data center to public and private clouds.
In conclusion, organizations can achieve greater agility and flexibility using hybrid clouds helping them respond faster to market and customer needs. With the right security approach that integrates advanced protections, policy management and visibility across both on-premise networks and private and public clouds (or fogs), they can drive their IT and business processes with complete visibility and control.
https://www.checkpoint.com/products-solutions/vsec-cloud-security/