The Shift to the Hybrid Cloud

According to Gartner there is a massive shift to the hybrid cloud. They are predicting that by 2020, 90% of organizations will adopt hybrid infrastructure management capabilities.   This massive shift opens the door to more security threats, but if managers sufficiently prepare and monitor their environment, the shift can be seamless and organizations can take advantage of the on-premise assets and unlimited cloud scalability.

This 36 page eBook looks at how building a Continuous Security Architecture can improve an organization's security posture; reducing  the potential threat of breaches by providing one view, with remediation, across physical, public, and hybrid clouds.  In this eBook you will learn: 

  • The challenges facing today's CISO
  • How continuous security applies to the Cloud and Containers
  • Understanding the Shared Responsibility Model
  • How to build a Cloud-native Continuous Security Architecture
  • The operational side to securing modern workloads
  • 10 key criteria for building a secure hybrid environment

CONTENTS

What We Mean by Continuous Security — Tech and Business Needs 

  • Challenges Facing the CISO 
  • How This Applies to the Cloud (and Containers) 
  • The Shared Responsibility Model 

A Cloud-native Continuous Security Architecture 

  • Micro-Services 
  • Micro-Segmentation 
  • API-First 
  • Controls, Frameworks, Benchmarks, and Guidelines 
  • The UI and Reporting 
  • SDN, SDDC, and NFV 

Securing Modern Workloads—The Operational Side 

  • Agility in Security—DevSecOps, AWS CloudFormation, and Quick Start Example 
  • Container Security 
  • Adaptive/Predictive Analytics; Security Analytics 
  • Looking Ahead—Functions as a Service / Cloud Functions 

 

 

Ten Selection Criteria: Keys to Success 

  • Benchmark Development—Controls and Target of Evaluation (ToE) 
  • Understanding Security Control Requirements In-Depth 
  • Understanding Your Infrastructure Workloads and Targets In-Depth 

Acronyms / Glossary 

References 

 

What We Mean By Continuous Security — Tech and Business Needs

Continuous security reflects the speed of change within the digital enterprise, with the understanding, first penned by IBM, that security is a verb, and not a noun. It is something you ‘do,’ and not something you ‘have.’ It is a process that incorporates several well-defined steps, including:
  • Defining your objective
  • Taking action to reach that objective
  • Periodically checking to see if you are still on track to meet this objective
  • Critically, verifying that the objective has not changed 

Security objectives must be created with an understanding that the only constant is change, reflecting ‘cloud speed’ where the network changes from one moment to the next, and cloud scale, where any implementation must scale to the largest and most distributed on-premise and public cloud deployments. The introduction of DevOps lends more emphasis to ‘continuous,’ while microservices and containers only add to the speed of change. More on both in a bit. 


We can look at security as a series of shells, roughly aligned to elements of the cloud shared-responsibility model, described a bit later. The outermost layers address the physical infrastructure, including network security. Moving to the center, the OS (aka workload), and then the applications with their associated data. Requirements spanning all layers include policy and risk management, as well as operations and monitoring. How does this relate to the concept of ‘continuous security’? 

When we think of the network, we have an easy time associating this with continuous security, given that firewalls are always on and updated. There is also a vast threat intelligence infrastructure, updated in real-time. Endpoint security, usually in the form of always-on agents, is also easy to understand, especially if you have a device with EDM softwar e installed by your enterprise. But as we get to the center of the circle, things are less clear. 

 

Is an application constantly checking its security posture? Is data at-rest constantly scanned? How often are applications, the source of many breaches, patched? Operational security includes monitoring, but just how much is enough, and then what do you do with the analytics in a timely fashion? 

Looking at workload security, here we apply various benchmarks, frameworks, and guidelines to the infrastructure, both on and off-cloud, while the ability to monitor, assess and remediate continually is a requirement. Capabilities may include system monitoring and management, application control via whitelisting, exploit protection, as well as management and visualization of micro-segmentation. 

A bit confusing is the fact that workload security may also app ly to endpoint OSs, and benchmarks have been created for network devices and firewalls. Given this, the diagram below is potentially a better way of looking at the problem. 

 

To put things in perspective, we’ll next take a step back and lo ok at the challenges facing the CISO, both on-premise and as part of cloud deployments. The remaining sections then look at the overall architecture of the solution along with some capabilities, but it is not intended to be an exhaustive list of the set of featur es available across the workload protection market. 

To find out the challenges facing the CISO and other insights into buidling a hybrid infrastructure fill in this short form and we will send you a link to the complete online eBook, Securing Your Hybrid Cloud.
DOWNLOAD eBOOK

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.