Wednesday, October 21, 2015

Security in Hybrid Cloud sans Private Cloud

Check this link :

Few predictions made before are becoming reality.  Pure private clouds are disappearing slowly. Enterprises are increasingly using public clouds for may workloads and going for very small private clouds for critical workloads.  Combination of public cloud hosting with private cloud is called hybrid cloud.

I believe that hybrid cloud market as defined today (Private + Public combination) would decline over time and would become niche market.  But another other kind of hybrid cloud market, where Enterprises use multiple public clouds, would increase in future.

Security considerations :  In my view,  Enterprises need to  embed security in their workloads and not depend on generic security solutions provided by cloud operators.  Few reasons on why this is required.

  • Enterprises may need to host their services in various countries, where there may not be stringent laws on data protection,  data security.   
  • Enterprises may not like to depend on the integrity of administrators of Cloud operators.
  • Enterprises may not like Cloud operators to share the data & security keys to governments without their consent 
What it means is that :
  • Enterprises would need to consider hypervisor domain as insecure, at least for data.
What is it Enterprises would do in future :
  • Security will be built within the workloads (VMs)
    • Threat Security such as firewall, IPS, WAF.
    • Transport level data security such as SSL/TLS.
    • Network Level Security such as Ipsec, OpenVPN
  • Visibility would be built into the virtual machines for 
    • Performance visibility
    • Traffic visibility
    • Flow visibility
Essentially, virtual machines would have all necessary security and visibility agents built into them. Centralized management systems, controlled by Enterprises,  will now configure these agents from a central location to make the configuration & management simpler.

There is a concern that if security is built into the VMs, then attacker exploiting the applications in the VMs may be able to disable the built-in security functions, falsify the data or send wrong information to analytic engines. 

That is a valid concern.  I believe that containers would help in mitigating those concerns.
  • Run all security functions in the root container of  the VM.
  • Run applications in non-root containers within the VM
Isolation provided by containers can mitigate the challenges associated with combining security with the applications.

Service Chaining :  Traditionally, multiple security services are applied by middle virtual appliances. If the traffic is encrypted end-to-end,  these middle virtual appliances will not be able to do good job. Yes, that is true.  This can be solved by Cloud-SFC (SFFs within the virtual machines) where VM SFF itself steer the traffic to various middle appliances or container services within the VM.  More later on this...

I believe that with increasing popularity, flexibility, scale-out, performance provided by CSPs,  it is just matter of time where private clouds would disappear or decline dramatically.  Cloud users (Enterprises) would go for inbuilt security within VMs to host them in public clouds and security/visibility companies would have to address this trend. In  my view only those security/visibility companies would survive.  May be dramatic?  What do you think?

1 comment:

Unknown said...

Very useful article. We also use VDR, as Ideals for our documentation flow. I think it is reliable service, because many big international companies use it