How secure is the hybrid cloud?

The term hybrid cloud is used loosely, which is probably why so many companies say they're planning to adopt it. If you’re planning a hybrid cloud strategy, the security questions you need to think about may not be the ones you’d expect.

1 2 Page 2
Page 2 of 2

If you use Microsoft’s StorSimple storage appliance, you get an “infinite” storage area network. It looks like a SAN to your on-premises infrastructure, but as well as deduplicating, compressing and tiering your working set of data, it automatically backs up snapshots and tiers cold data to your choice of clouds (Azure, Azure Government, Amazon S3 or OpenStack clouds). The data is encrypted, and you can connect it using ExpressRoute, but you’re still moving data to the cloud without human intervention.

That automation and the seamless, low-friction connection makes it easy to move data and workloads to and from the cloud without anyone making a specific decision every time. And that means you need to have your security policy clearly set out in advance, and applied automatically, or you may find you’re moving something to the cloud that you don’t want to have there.

Security through expertise

“There needs to be a learning process, and obviously the things you want to learn with are the lowest risk things, which give you a great return on investment as you learn,” Russinovich suggests. “You want to learn about how much does it cost me, what are the best practices, how do I figure out security without putting the whole business at risk.” And while you’re learning, he points out, you can also be saving money, and getting real experience with cloud costs.

“Do I move the crown jewels first? That doesn’t make any sense. But I can move my devtest environment to the cloud and immediately I get a return, because if my devtest is on premises it’s occupying infrastructure and more than half the time it’s just sitting there and I’m paying for it. When I move it to the cloud I can learn about hybrid network connectivity, as I connect the on-premises environment to the devtest resources in a secure way to keep them off the Internet, because I don’t want even that exposed. I can also learn how to modernize my applications as I move them. My devtest on premises is a statically configured environment; when I move it to the cloud I can have it scale up – or scale in. I can have it completely shut off at 5 p.m. when the developers go home.”

[Related: Why CIOs need to embrace new norms of the hybrid cloud]

Russinovich goes on: “You can take advantage of storage connectivity. Why do I want to buy a new SAN to store data that I'm just backing up? Toss that up in the cloud. And while I'm figuring out how to best secure that data, I can have that data encrypted as it moves to the cloud. So there's low risk; even if I did screw up and that data leaks, it's not putting the business as risk.”

As you work through connecting those lower-risk systems to the cloud, you learn hybrid cloud strategies, Russinovich points out. “New projects that are low risk, like customer-facing sites and marketing campaign things, why put that on premise? For new projects like that, you can move to the cloud. But all that requires understanding hybrid.”

You also need to understand how to enforce security and compliance in a world where you don’t have group policy, and where application developers rather than network architects are managing access controls.

Then you can work your way up to more complex hybrid models where you build the front-end of an application in the cloud but keep the data on premise. “Often, the more sensitive data is the most complicated to move, because so much of my internal company ecosystem is built up around that data being in a certain place and accessed a certain way, and it’s going to cost a lot of money to move everything,” Russinovich points out. “It doesn’t make sense go after the hardest things first; start at the fringe and work your way in.”

To make this prioritization work you need to do data classification, and look at the complexity of your applications and the sensitivity of the data they handle, categorizing which of your applications deal with confidential and proprietary information.

That’s easier than it used to be, points out VCE’s Moulton, because regulatory frameworks like HIPPA, Sox and Basel 3 haven’t just made enterprises take security seriously. “They’ve also established frameworks under which data becomes classified. There’s the recognition that I've got a data set that is valuable, the IT group have given me a framework and some classification tools – and here's a regulator that will regularly audit me to see I'm in compliance.”

Changes in enterprise governance models make hybrid cloud easier, he suggests. “They’ve changed sufficiently that security is no longer an afterthought. It's something they build into their risk models and their risk assessment in a way that takes account of what the security implications are, and how you deal with them.”

Use that when choosing where data and applications will live. “You have to do a risk assessment on whether that place is something you want to wholly own or whether it is somewhere you build a service level agreement with an organization that is massively penalized if that risk assessment proves to expose the company to risk.”

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Security vs. innovation: IT's trickiest balancing act