Cloud Security Decision Frameworks (Part 2)

Sometimes it seems as if companies are moving deeper into the cloud every day by any means necessary with or without security on board. Unsanctioned shadow IT initiatives abound as well as sanctioned business initiatives or IT cloud infrastructure projects.  As we wrote in Cloud Security Decision Frameworks (Part 1) , the security organization is often hampered in developing risk management strategies by the lack of over-arching enterprise cloud computing strategy guidance.

cloud security decision framework

If this describes your situation, you’ll need to work to set the missing direction with other stakeholders – including the CIO and CTO (or delegates), enterprise architecture (EA), legal counsel and various technical teams responsible for IT or business application strategy. To help you begin, Security Architects Partners is providing this series of posts and also offers cloud security expertise and architecture improvement services.

We recommend getting started by forming a Cloud Security Working Group (CSWG), building stakeholder maps, and engaging the stakeholders to answer all the questions listed in bold below.  It’s important to make it easy for the stakeholders to provide input and to collect assumptions as you go so that security programs can increasingly align in parallel as a full cloud computing strategy emerges.

Security Architects Partners is working on developing a cloud security decision framework to identify typical stakeholder profiles, alternative options, and decision criteria to help clients answer the questions listed (with simplified summary discussions) below. Read on and contact us if you need more information. 

1. What is our primary cloud computing direction – Public or private?

How things have changed! In the early days of cloud computing security pros typically said: “Don’t put your sensitive data in the cloud!” Now, many enterprises are adopting a “cloud first” strategy wherein hosting applications in the public cloud is the default choice. Cloud-first is increasingly emerging despite data residency/privacy compliance concerns for global companies; the question becomes not “if we should use the cloud” but “how can we use the cloud?” 

However, actual direction-setting – even for those aspiring to a cloud-first posture – is more nuanced than the big trends mentioned here and in Q2 and Q3 below. Decision tools such as the Open Group Cloud Buyer’s Decision Tree tend to cover general purpose infrastructure-as-a-service (IaaS) computing, but often neglect guiding the choice of application platforms  (e.g. PaaS or in-house application frameworks) and line of business tools (e.g. SaaS or premise-based applications). 

Often, enterprises choose not to decide a primary direction. They seek instead to locally-optimize whatever’s fit for purpose in each use case. Whatever the primary direction, we recommend clients revisit it after working through the areas covered in all 11 of these questions.

2. What style or level of private cloud sophistication should we develop?

Private cloud adoption of internal IaaS (complete with service catalogs and self-service workload orchestration for all business IT users) is losing traction as many enterprises find full cloud management platforms (CMPs) too expensive and complex to deploy. Less-functional on-premise virtual data center deployments do abound; but most of these are private “cloud” in name only; they tend to fall far short of delivering the scalability, elasticity and agility public cloud services can offer. Nevertheless, simpler forms of privately-hosted virtual machine automation, managed services and co-location (colo) hubs (see Q6 and Q8) should be part of the strategy even if your primary direction is to the public cloud.

3. What cloud hosting guidelines should we establish for different types of applications and data?

New apps, existing apps, legacy apps, so many apps. Does the enterprise have an overall applications strategy? This is, after all, an exercise in application rationalization. Locate all the data you can from any previous application inventories or surveys performed previously to find application assessments, lists, projects in flight or projects planned. Hosting guidelines should state a direction for future developments – this should include selection criteria for inhouse, IaaS, PaaS or SaaS destinations and also some guidance on application patterns. Avoid or fix cloud-unfriendly anti-patterns like hard coded configuration settings or credentials in favor of patterns that scale well per Q5 and the dynamic virtual environment. 

4. How can we exercise cloud computing governance?

Without governance, shadow IT will bring higher costs to the enterprise along with higher risks. We recommend companies combine a top down approach (policy development and enforcement) with a bottom up approach (scan the network traffic to discover all the cloud service providers (CSPs) in use). Both approaches have challenges and choices that we’ll cover later in more detail.

5. How can we orchestrate applications and workloads across multiple clouds?

Dev ops environments must leverage a high degree of automation to fulfill operational requirements for scalability and agility, while also meeting performance and availability expectations. Network zones and boundaries must product the confidentiality of sensitive data from intruders, and the integrity of production processes from development areas. Tricky problems of administrative privilege management, application credentials management, and workload cryptographic bootstrapping must be addressed through a consistent set of architectural patterns, standards and guidance. In some cases, companies can start by discovering what their best and brightest developers are already doing.

6. How can we integrate multi-cloud networking, data/storage and resiliency management?

Not everyone realizes this yet, but a growing number of CSPs, network service providers, cloud service brokers (CSBs) and colo hub vendors are building new cloud computing network overlays and control planes atop the Internet itself. Although SSL and IPSec will remain the default use case, cloud security in the network isn’t just about VPNs anymore. Co-lo hubs can connect end customers to CSPs’ facilities through regional cloud peering centers enabling high speed, high volume communications. They do this with both direct fiber channel connections at the storage layer and software defined networks (SDNs). This approach abstracts the considerable complexity of these connections away from the end customer, and creates new opportunities; for instance, it may be possible to host cloud applications’ data tiers in read-optimized colo hubs while their corresponding compute processing tiers run in multiple public clouds. 

7. How can we maintain data consistency?

If similar logical data sets, or subsets of the same master data data repository, reside in multiple cloud provider sites, consider how to rationalize access to a consolidated set of replicas and how to replicate or synchronize the data. Inconsistent data can reduce integrity or availability in business processes or applications that depend on the data, and may also have confidentiality-related regulatory compliance implications as well as data loss protection implications.

8. Which, and how many, vendors should be our strategic CSP partners?

The hybrid IT, multi-cloud architecture remains a work in progress. Though new standards emerge, many management and interoperability challenges can only be addressed through value-added products (e.g. cloud server brokerage), CSP-specific features or custom development in the end customer’s service ticketing and orchestration environments. Enterprises must place their bets on both architecture patterns and market players; in the cloud networking arena, for example, customers may only be able to avoid CSP vendor lock in at the cost of CSB or colo hub vendor lock in. 

Securing the Patterned Cloud

Our cloud security decision framework is still a work in progress, but it already enables clients to identify the stakeholder maps, architecture options and decision criteria to help companies’ IT strategy working groups address each of the above questions. Out of this exercise, security teams can develop a working set of assumptions for a “patterned cloud” to be ratified by IT, EA and other stakeholders. This will help them find much more relevant answers even to strictly security-related questions, such as:

9. How can we master data residency and other compliance challenges?

Safe Harbor is dead. Much larger fines and tougher (though perhaps more consistent) rules and enforcement are coming from the European Union and other jurisdictions for controlling the transfer of personal data out of the citizens’ home countries. Companies utilizing public CSPs must pay closer attention than ever to their model contracts, data center locations, privacy policies and security controls. The security and cloud computing markets offer tool-based architecture solutions as well, such as cloud encryption gateways enabling customers to hold the keys to the data. The colo hub solutions from Q6 could potentially provide a rarely-seen combination – simultaneous improvement on network performance, availability, data consistency and data residency compliance.

10. How can we manage identity and privilege across the clouds?

Enterprises need identity and access management (IAM) architectures that consolidate, federate and abstract this problem. Options: Consolidate authoritative sources for personal data in the core workforce, supply chain and customer communities. Distribute (or federate) authorization and authentication at the edges of those communities, and into or out of cloud environments. Abstract identity data access and policy decisions from the authoritative sources by relying on identity standards, such as SAML, OAuth 2.0 and OpenID Connect wherever possible. The identity experts in your organization should have some knowledge of these interworking patterns, and be able to apply them to your overall framework of cloud decisions emerging from the strategy.

11. How can we gain visibility to manage risk in disparate places?

Recall from Q4 that visibility is a prerequisite for cloud computing governance. Whatever approach the enterprise takes on primary cloud direction, application hosting, cloud networking and IAM how to maintain visibility should be a key decision criteria. IT and security groups must be able to monitor events, logs, configurations and vulnerabilities throughout the environment. 

Moving Forward

As we close out 2015, it’s clearer than ever that cloud computing has upended IT, and that it demands a plethora of decisions that stakeholders aren’t entirely prepared to make. The cloud security decision framework can help, but even the summary provided here is a lot to take in. The good news for IT and security professionals is that we’re more relevant and necessary to the enterprise than ever. Even as  IT components are outsourced, the need for IT experts and architects to broker manageability, consistency and business benefit out of it all becomes ever more pressing. And the basic risks and security needs don’t change even when applied in new contexts.

Subscribe to Blog Notifications...  HERE