Flexibility, on-demand computing resources, and speed are just some of the benefits that are driving information technology's shift to the cloud. In fact, market data shows that roughly a quarter of overall computing workloads already operate in public environments today. That figure is expected to grow to half over the next 10 years. At the same time, organizations with more experience in the cloud are beginning to operate in a hybrid environment that includes the public cloud, private cloud and virtualization. The number of companies embracing this mixed ecosystem is only expected to grow. Indeed, research suggests that 80 percent of organizations will commit to a hybrid architecture by the end of 2017. But with cloud environments come unique challenges. They're a different beast altogether. As a result, you can't assume that you can take care of your cattle (your re-deployable cloud-based assets) the same way you take care of your pets (your limited number of "special" data center assets). More than that, don't think it's up to your cloud service provider (CSP) to take care of your cattle. Under what's known as the shared responsibility model, a CSP is responsible only for security of the cloud, or protecting the infrastructure that runs the cloud services. They are not liable for security in the cloud, or ensuring the security, compliance, and operational controls of your applications and data in a cloud environment. That responsibility falls squarely on you the customer. So, how can you secure your data and assets in the against some of the most common threats to cloud infrastructure? To answer that, we look to the Center for Internet Security (CIS). This nonprofit entity is responsible for developing a series of foundational controls, measures which include essential security and compliance capabilities like asset discovery, security configuration management, vulnerability assessment, and log management. They’re basic security hygiene that provides the biggest return on investment in terms of risk reduction. By implementing the first five controls alone, organizations can reduce their digital risk by 85 percent. These controls are as follows:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
Fortunately, these controls do apply to the cloud. But there are still some challenges you may run into when deploying these controls to protect your cattle. I elaborate on these obstacles in another article published on The State of Security:
"If your controls don’t support both types of environments, you may end up deploying multiple controls for multiple environments. Dealing with multiple controls for environments is time-consuming in terms of deployment, administration and reporting. In addition, gaps in monitoring can occur if the data is not consistently collected and centralized across all infrastructure. "Another challenge is the dynamic nature of elastic computing environments where elastic assets come online and go offline to scale up and down to meet demand. Your security controls will need to match that demand as cloud assets are rapidly created and destroyed. Otherwise, gaps in visibility and errors can occur as hosts appear and disappear."
And let's not forget that some infrastructures require specific platform and policy support. Not all solutions support Amazon Linux or Docker containers, for example. Why? On the one hand, containers are more like chickens than cattle. They mature much more quickly, require less food, and outnumber cattle by a factor of 100. Containers are also a different beast entirely. They share the same underlying operating system, but they have a different operating environment for applications and libraries. You therefore need to make sure that your foundational controls support the polices, operating systems, platforms, and technologies (including containers) you use across your complete infrastructure. So, what’s the ideal foundational controls solution for hybrid environments? Choose a toolset that can:
- Apply the same robust controls across on-premises and cloud networks with unified management and reporting environment.
- Support dynamically on-boarding and off-boarding nodes to ensure continuous coverage in elastic environments.
- Support for cloud policies and platforms in addition to the policies and platforms that you use on-premises.
- Assess cloud-oriented technologies like Docker containers.
In summary, you may need to wrangle both pets and cattle for the foreseeable future in your hybrid environments. Here are some tips on how to handle your cattle specifically. After all, not all solutions work equally well between on-premises and the cloud, so it’s important to evaluate how solutions can support the different technologies that you are using today and that you will be using in the future. For information on what foundational controls Tripwire applies to hybrid cloud environments, please download this resource. https://www.youtube.com/watch?v=vjyWBi0UDzU
