A better model for cloud security

The self-service delivery model of the public cloud brings many benefits, but of course undermines the traditional IT server provisioning model. Now that developers can allocate resources themselves with the swipe of a credit card, enterprise security teams have their work cut out for them.

How can IT security teams enable their organizations to harness the cloud’s flexibility and virtually infinite scale while maintaining control over corporate IT and data? This article explores the challenges enterprises face in enforcing security policies on the hybrid cloud, as well as the architectural solution Bracket Computing offers to address those challenges. 

Hybrid cloud challenges

Enterprises are encountering three primary challenges as they adopt hybrid cloud environments.

First, hybrid cloud means hybrid complexity. The heterogeneity of cloud service providers’ offerings creates massive complexity for teams trying to interpret and enforce the same set of security policies everywhere. Agents and virtual appliances can be unwieldy and difficult to manage, and segmentation rules can create traffic jams or allow too many actors in. Data and workload portability compound these risks, as does the increased likelihood of human error (for example, data inadvertently stored publicly).

For small companies without regulatory restraints and one environment, this complexity can be mitigated. But for IT organizations that need consistent key management (across clouds, but also across multiple regions within a single provider) or independence from infrastructure providers, this complexity is difficult to overcome.

Second, protection is incomplete. In the data center, security policies for identity access, network, and storage typically tie to infrastructure. Network policies are implemented using VLANs, subnets, and ACLs tied to IP addresses. Protecting assets typically relies on limiting network access to the storage hardware rather than protecting the data itself. But as the datacenter becomes increasingly hybrid and enterprises lose control over infrastructure, perimeter and network defenses become inadequate. Microsegmentation offers additional protections, but the network is only one part of an enterprise workload.

Without physical control, IT security needs to find other ways to establish logical control over workloads deployed on the cloud.

Third, ensuring transparent, provable control is a headache. Adoption of hybrid cloud expands the scope of audits, as IT must manage various security postures. Establishing visibility and proving control across multiple environments is difficult, with limited opportunity for IT to know how and where data is accessed.

Further, for firms subject to specific regulatory concerns (e.g. HIPAA), provider-offered encryption often raises objections. Proving control over data is essential to most audits, but hard to ensure on hybrid cloud.

Finally, preserving separation of duties between IT and development organizations without breaking the cloud’s self-service model is difficult. IT security must either deliver rigorous separation of controls, interfering with developer self-service procurement to secure resources, or enable agility within development teams but risk the controls being turned off by the teams configuring infrastructure resources.

Transparent cloud security

Bracket Computing offers full workload isolation software designed to address these challenges and enable enterprises to run workloads securely in hybrid cloud environments with a single set of advanced IT security controls. Bracket delivers crypto-enforced micro-segmentation, that includes always-on encryption of data at rest and in motion with customer-controlled keys, data and runtime integrity monitoring, and auditability and forensics capabilities that capture memory at the time of breach.

Bracket works across on-premises VMware clouds, as well as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. The Bracket solution’s enforcement mechanism is a lightweight virtualization layer, called the Metavisor, that not only provides granular controls over network, storage, and compute, but allows these protection services to be inserted and audited transparently, with no impact to developers or data center operations teams.

The Bracket architecture is defined by the following four attributes:

1. Security is delivered transparently via lightweight virtualization

Security policies should be enforced transparently in cloud environments. Just as users are unaware of TLS/SSL in browsers, developers shouldn’t notice security at work. Using virtualization to enforce policies offers this benefit, unlike agents and virtual appliances, which can be misconfigured, incur performance penalties, be turned off by malware that accesses the host, or create chokepoints.

Instead of relying on a traditional delivery method, Bracket developed lightweight virtualization technology, called the Metavisor, to provide controls transparently, without any modifications to the guest OS or applications. Running between the guest OS and the cloud hypervisor, the Metavisor virtualizes I/O only, rather than the whole workload. This allows it to step out of the way when applications are executing. But when a call is made to the storage system or the network, the Metavisor intercepts the call, inserting security services. This allows production workloads to run securely and without significant performance penalties.

Because the Metavisor resides in a separate memory space from the guest OS, it provides the transparency and immutability of a network-based solution while leveraging a one-to-one relationship with the host. 

2. Security is attached to full workloads, not infrastructure

Bracket allows enterprises to write microsegmentation and compute policies on the basis of Bracket tags that are associated with resources, be it data, network links, or instances. Tags are already used on AWS and other cloud platforms, so use of Bracket tags fits well into existing cloud workflows.

These tags remain with assets if they are copied or moved. An example of a policy written on tags might be

Environments tagged ‘dev’ can communicate only with other environments tagged ‘dev’

Written like this, policies can be general like the above, or extremely granular, written to control specific ports, database hosts, or volumes. This provides IT security with policy enforcement that enables logical control over workloads in the absence of physical control, all without disrupting developer workflow.

3. Security is enforced cryptographically based on tags

Encryption of data at rest and in motion is always-on. Once resources are tagged, Bracket uses the Metavisor to cryptographically enforce any policies associated with those tags. Bracket manages and delivers encryption keys as allowed by policies, and includes the ability to decrypt disks or objects, boot instances, or talk to neighbors. When a key is requested, policies are checked and the key is released to the Metavisor, which implements the appropriate policies and allows access to the data. This yields automated, error-free policy enforcement, with the added benefit of always-on encryption that doesn’t impede developers or alter their workflow.

In any environment, but particularly across hybrid cloud, IT must deal with the risks of malware, malicious insiders, and mistakes. Crypto-enforced policies protect enterprises from threats, satisfying regulatory requirements for financial services, healthcare, and other large enterprises.

4. Security is implemented consistently across environments

IT organizations would not configure on-premises environments heterogeneously—for example, using Cisco firewalls exclusively in one data center, and Check Point and Palo Alto Networks products in the other two. Yet firms manage multiple sets of controls to enforce security policies across hybrid environments. This yields complications that not only create human error and increased risk, but also make auditing difficult.

Bracket’s solution allows enterprise controls to be enforced consistently everywhere developers work, minimizing IT’s operational overhead. It allows visibility across an entire enterprise system, with NetFlow and data access logs that fit neatly into enterprise audit processes.

Hybrid cloud adoption will continue to grow, driven by the needs of businesses for flexibility and scale. Without the ability to enforce a single set of controls across environments, IT security teams will have to deal with significant complexity and compliance issues.

With a full workload isolation solution like Bracket’s, security can ensure the scalability of cloud-based solutions, the host-based context of agent-based solutions, and the flat network appeal of virtual appliances—all in one solution. It is an architecture that allows enterprises to leverage the hybrid cloud, enforcing IT control without disrupting developer workflows.

Vinay Wagh is head of product at Bracket Computing. A veteran manager and product leader from Cisco and NetApp, he has extensive experience in virtualization, networking, and storage technologies as part of development teams for industry-leading products including NetApp Data OnTap and Cisco’s IOS-XR. Before joining Bracket Computing, Vinay architected the software and virtualization platform for the packet core gateways at WiChorus, and he remained through the Tellabs acquisition to lead and expand the platform to build multiple products.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to [email protected]

InfoWorld Cloud Computing

Related Posts:

IDG Contributor Network: Cloud computing and the costs: a love-hate relationship

When talking with CIOs and other senior executives, cloud computing is often cited as the foundation of a given digitization strategy. It is typically associated with forward-thinking attributes known from mode-2 (see bimodal IT) such as greater flexibility and agility, faster time-to-market, and being a booster for innovation. However, despite the euphoria to leverage cloud computing to conquer the digital world and produce new top-line growth, behind the curtain, the quest for good old cost reductions — known from mode-1 — still seem to dominate the agenda.

In a global poll of more than 1,000 Chief Information Officers (CIOs) and other senior executives, more than half (53 percent) cite cost savings as the top initiative for 2017, according to RightScale’s 2017 State of the Cloud Report. Among mature cloud users, the priority is even higher with 64 percent — inferring that embarking on the journey hasn’t currently paid off as much as expected.

The underlying rationale: economies of scale

Cloud computing is indeed all about economies of scale. Service providers build state-of-the-art computing factories, hangars filled with the latest IT equipment that is highly standardized and fully automated. Ultra-high density (expressed in a PUE ratio near 1.0) combined with mass volumes allow per-unit costs that are not achievable in a do-it-yourself approach on-premise. Size makes a huge difference in this equation. While providers initially headed east to set up their operations centers in an effort to take advantage of labor arbitrage, automation has become the new priority — following the mantra “the only thing better than low costs is no costs”. While legacy IT was individually tailored and customized, Infrastructure-as-a-Service (IaaS) is on its way to becoming a commodity. Consumers ultimately procure a plain virtual machine (VM), which in turn leads to fierce competition and price battles between the providers as it is becoming more difficult for them to differentiate their services.

But if in theory things are straightforward, the per-unit costs are lower when leveraging the cloud and there is stiff competition in the marketplace among the providers, why are some companies struggling to decrease their total cost of ownership (TCO)?

Overly optimistic transition and transformation planning

The fact of the matter is that not all applications and legacy systems are cloud-ready. Parts of the existing landscape on-premise might be more complex and difficult to move than originally anticipated. Companies not thoroughly assessing the landscape and failing to come up with a well-thought-through transition and transformation (T&T) program might all of a sudden find themselves confronted with not being able to keep the project schedule. Consequently, it takes more time and efforts to complete the migration, which can lead to significant cost overruns.

Skill gaps

Cloud computing has experienced exponential growth over the past years and is expected to climb even further, making talent on the market scarce and expensive. Missing skill gaps not only create loopholes during the planning phase, but also makes it more difficult for companies to move up the IT stack and build more sophisticated use cases beyond just using IaaS. Although the situation is improving overall, missing resources or expertise is still a challenge in 2017 for 25 percent of respondents according to the RightScale report, down from 32 percent in 2016.

Misallocation of IT assets

Cloud users underestimate the amount of their wasted spend. While costs often appear low in the public cloud space at first glance, especially when temporarily using capacity, these costs quickly pile up when occupying resources on a permanent basis. Sizing plays another important role. Whether it’s regarding oversizing VMs or commissioning high-performance storage for non-critical data that is accessed infrequently, there are plenty of examples of how to put on “cloud fat”. While respondents estimate that around 30 percent is going down the drain, RightScale has measured actual waste to be between 30 and 45 percent.

Missing capacity planning and monitoring

Despite an increased focus on cost management, only a minority of companies are taking critical actions to put governance in place with a quarter of all respondents citing managing cloud spend as their biggest challenge. Yet, with an ever-increasing spend on cloud computing, the need for proper housekeeping has never been greater. Tools help in taking a strategic approach and giving organizational and financial context, providing a single-pane-of-glass to monitor, manage, and optimize both usage and spend. Moreover, automated daily reporting will help in identifying and shutting down idle capacity.

Summary

Cloud computing and the costs doesn’t have to remain a love-hate relationship. When planned well beforehand and deployed in a smart fashion, the cloud will make perfect economic sense. This doesn’t just apply for possible cost savings but also — and perhaps even more importantly — for enabling top-line growth. Thinking along the categories people, processes, and tools, will enable companies to come up with a comprehensive game plan that helps overcome the challenges outlined beforehand. Whether it’s all about the Internet of Things (IoT), collaboration services or data-centric business models involving multiple data streams and sources, the cloud is typically the location of choice for a whole array of use cases. Attempting to succeed in the digital age without leveraging the cloud in some shape or form is like trying to cross the Atlantic in a paddleboat. It’s not entirely impossible, but the odds aren’t that great and I wouldn’t recommend trying it!

This article is published as part of the IDG Contributor Network. Want to Join?

CIO Cloud Computing

Related Posts:

FixStream and CenturyLink Accelerate Migration to Hybrid Cloud

News Image

“We are thrilled that CenturyLink has selected FixStream to help accelerate its customers journey to the cloud” said Sameer Padhye, Founder and CEO of FixStream

FixStream, an award-winning Algorithmic IT Operations (AIOps) vendor, announced today that it has inked a distribution agreement with CenturyLink, Inc. (NYSE: CTL), a global communications and IT services company.

CenturyLink offers network and data systems management, big data analytics, managed security services, hosting, cloud, and IT consulting services to global enterprises, many of which are planning to digitally transform their business and migrate their applications to the cloud.

Adopting a cloud strategy while deploying new applications can be challenging for IT operations teams, since visibility could be an issue given the dynamic and complex nature of their hybrid environments. Specifically, IT operations teams might need to correlate millions of data points before getting to the root cause of service outages, up from tens of thousands typical of legacy environments.

To dramatically accelerate the migration to hybrid cloud and to significantly reduce the cost of operations thereafter, CenturyLink will now make available to its customers FixStream’s big data correlation, visualization and analytics platform.

FixStream’s platform will also be available on the CenturyLink Marketplace. The SaaS version will enable CenturyLink customers to rapidly deploy the FixStream platform by leveraging CenturyLink’s self-service, high performance on-demand platform.

“We are thrilled that CenturyLink has selected FixStream to help accelerate its customers’ journey to the cloud,” said Sameer Padhye, Founder and CEO of FixStream. “CenturyLink’s proven digital transformation methodology helps businesses adopt cloud-based and multi-cloud management solutions while increasing IT agility, sharpening operational efficiencies, and enhancing customer experiences.”

“FixStream provides a powerful analytics platform that delivers an end-to-end view of transaction flows correlated with applications and infrastructure in hybrid IT environments,” said David Shacochis, vice president, Hybrid IT Product Management at CenturyLink. “We are pleased to make FixStream available to our customers through the CenturyLink Marketplace. We see real opportunity for operational efficiency and customer benefits as managed services become fueled by big data analytics and machine learning.”

This year FixStream was named as a Gartner “Cool Vendor” and won the Red Herring Top 100 award.

About FixStream

Watch FixStream’s Vision Video

FixStream accelerates the delivery of new digital services. It provides analytics and visualization of business transactions correlated with application services and infrastructure (such as compute, network and storage) in hybrid IT. Customers have deployed FixStream to automate root cause analysis of business transactions and applications, optimize IT resources and reduce infrastructure cost, accelerate technology migration to hybrid cloud, and reduce compliance risk and audit costs. For additional information, visit http://www.fixstream.com/, or connect with FixStream on LinkedIn, Twitter.

Share article on social media or email:

Technology: Networking

Related Posts:

VMware embraces cloud during VMWorld, CEO Gelsinger says

(In the run-up to VMWorld this week, VMware CEO Pat Gelsinger spoke to IDG Enterprise Editor-in-Chief Eric Knorr about announcements at the conference, the future of the company and his five-year tenure at the helm. This is a summary of some of the highlights of that interview.)

As VMware opens up its user conference this week in Las Vegas, the company’s CEO Pat Gelsinger says it is making significant announcements about cloud integration and security.

The company is announcing the availability of VMware Cloud on AWS, a partnership that places the VMware Software Defined Data Center in the AWS cloud as a service. The news is that the service is available in the U.S. West service area in the United States.

“Of course, it’s one availability zone today but we’ll be committing that it’s available in every availability zone before the end of next year,” he says. The service will roll out to the East Coast, Europe and Asia – everywhere AWS is available – by the end of 2018. AWS CEO Andy Jassy is scheduled to make the announcement on stage with Gelsinger.

In addition, the company is announcing management tools that work across any cloud environment, even those that are not built on VMware. Gelsinger says telemetry and metrics tools are available via the company’s purchase of Wavefront earlier this year, as is vRealize Network Insight ( vRNI ), VMware’s tool for visibility and analytics in SDN environments, especially VMware’s NSX. But the program will continue to unfold.

“We’re going to build up a portfolio of service offerings that irrespective of where your workloads are – on-premise, on Azure, using VMware, using native cloud capabilities, Amazon, Azure, Google – we’re going to give you tools to help manage, connect and run in those environments,” he says, but he didn’t offer further details.

Security

VMware is announcing a security feature called App Defense that fingerprints good behavior inside VMs and provides an added layer of security to containers running within virtual machines. The benefit is, “you now have another layer of security that just comes for free as part of the container being in the VM. … You could say, ‘Let’s go do native bare metal containers on Linux,’ and then you say ‘Well, I really want the silicon partitioning, so let’s bring a VM back into the picture.’”

AppDefense springs from work VMware was doing on micro-segmentation, which led to the idea that micro-segmentation can enable the network to become self-isolating. “When you spin up a set of virtual machines the virtual machines can essentially be connected to one another in a secure way. We’re announcing now we have not just micro-segmentation but also distributed encryption as well that we’re releasing. We can have encrypted traffic in flight between VMs,” he says.

Also in the security realm, the company will add single sign-on for Workspace ONE, which is the integration of AirWatch, VMware’s mobility management software, and Horizon, its virtual desktop platform. It gives customers the ability to manage all their devices from a single platform. “The user experience becomes consistent with single sign-on across all applications and user experience as well,” he says.

IoT and edge computing

The Internet of things is playing into VMWare’s announcements with vSAN for IoT. vSAN is VMware’s storage architecture in which VMware hosts share their combined disk space. It now fits in with VMware’s IoT management package called VMware Pulse IoT Center. “IoT with vSAN is just another aspect of [Pulse] in the overall portfolio of strategies,” he says, addressing every IoT device. “Every component needs to be able to be remotely managed, automate the lifecycle and be able to really put the data at the right place, make sure the applications have the latency and the characteristics – and all of it is secured and managed.”

This fits in with VMware’s overall edge computing strategy of putting intelligence closer to endpoints in order to analyze data, maintain devices and upgrade software without relying on links to a central location. “As part of the overall Pulse strategy, it really is give that consistent management, security and networking environment and the IoT with vSAN is just another aspect of that in the overall portfolio of strategies,” he says.

Open source

VMware’s relationship with open source software is being advanced at the conference with two announcements: support for Okata, the latest open source OpenStack platform, and support for Kubernetes container orchestration in Cloud Foundry, the open-source cloud platform from Pivotal.

The first, called VMware Integrated OpenStack, is “grabbing the next set of OpenStack bits and really integrating them to the rest of the VMware stack to make it easy for customers who are pursuing OpenStack to do so on top of their VMware franchise,” he says. That product is aimed mainly at service providers.

The second, is a partnership with Pivotal, makers of Cloud Foundry that can streamline developers’ deployment of applications in the cloud. Pivotal and VMware are teaming up to create Pivotal Container Service. “The three core components associated with that offering are NSX-T, our innovation in terms of being able to integrate container networking directly into NSX,” the compmany’s network virtualization and security platform, he says. The second component is aspects of Kubernetes such as partitioning, micro-segmentation, cluster management and security provided by Kubernetes. The third component is Cloud Foundry.

Containers

He says the standards community is agreeing on container-native interfaces and those are being added to the NSX platform. That, in turn, is being integrated with the Pivotal lifecycle management environment, he says. The result is something that will make developers life easier, he says.

“If the developer wants something that is, let’s say, less curated but still embraces containers and Kubernetes, that’s exactly where [Pivotal Container Service] is focused and all of that built on the VMware infrastructure. We think this is a very powerful answer to solve that gap between the developer and the operations personnel and bring those two worlds together,” he says.

Photon, VMware’s minimal-Linux container host, fits into this picture with plans for deeper integration of it as the default native operating system, he says. But users would still be able to use the Linux distro of their choice if they prefer.

He says VMware doesn’t see a competition between containers and virtual machines, but VMware is trying to make running containers in VMs easier and touting it as more secure than containers running directly on hardware. “We think containers are great. We love them. We’re going to enable them. The primary benefit of containers is an accelerated application development, deployment and life cycle management. For the most part, we don’t see it as replacing virtualization,” he says.

The Dell tailwind

Gelisnger says VMware is doing well right now for three reasons: tech companies in general are doing well; VMware products, with their cloud integration, are becoming part of customers’ strategic thinking; and the company, now part of Dell Technologies, is getting a ‘tailwind’ from that association by having its products rolled into customer wins Dell makes.

“They’re helping the deals to get done, deals to get better and larger. We’re building more solutions with them,” he says. “Overall we see it pretty broadly across the portfolio and they have a lot of reach into markets that we haven’t built as much go-to-market capacity in yet so that’s helping us.”

And VMware is making other alliances that help its sales, he says. For example, it is expanding its relationship with IT services company DXC, and IBM is included as part of VMwares freshly minted App Defense product.

Businesses are embracinng hyper-converged infrastructure, and VMware is trying to help supply appliances that make it so businesses don’t have to build their own infrastructure to do so. “We’re trying to say it’s our job, whether that’s cloud or on-premises, for us to go manage that for you so that you could be spending your energy increasingly aiming to business-differentiating activities,” he says.

Customer’s thinking goes like this, he says: “If I’m going to get an appliance, I want a good price, I want a good value but I’d like you to be able to do that for me rather than me putting the white-box pieces together.”

As he approaches his fifth anniversary as CEO, Gelsinger says his biggest accomplishment is getting VMware ready for its second act. That is, going beyond its initial success with its virtualization products, VSphere.

He points to successes in software-defined data centers, Workspace ONE, the company’s identity application and mobility management platform, and its push into cloud as evidence that there is a promising second act unfolding.

“I think that would be the sum of my five years here, is building that strategy, getting the execution under way so that we’re positioned not just to be a great company in the past or the present but for decades to come,” he says.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Network World Cloud Computing

Related Posts: