July 30, 2015 | Written by: Turgut Aslan
Share this post:
IT consumers are increasingly requesting hybrid cloud solutions, mainly because of the flexibility and scalability they offer. A hybrid approach allows the customer to use their existing traditional IT environment while taking advantage of the latest technologies available.
Along with the many benefits that a hybrid cloud offers, bringing together disparate technologies can create some security headaches. Three major concerns using hybrid cloud stem from security, data privacy and regulatory compliance.
In this article, we focus on the security aspect. Data privacy and regulatory compliance concerns will be to be addressed in separate blogs.
Some characteristics of traditional IT
Traditional IT in data centers often are comprised of single boxes that are connected to each other by many cables. There’s often a diversity of hardware, operating systems and applications. The reason for this chaos is that the environment was likely grown over time. This brings complexity, and maintenance can be expensive. In this scenario, there are too many manual processes.
Years ago, I visited an automotive company’s data center. During the visit, I recognized some older hardware. I learned that it was running an operating system that the vendor no longer supported. The server was still running a self-written script, which had production impact. But nobody from the technical staff was able to answer my simple question: What happens if I were to power down this server?
Their guesses ranged from no effect at all to a full production stoppage from this hypothetical scenario. Stopping the script poses a major problem for obvious reasons.
To expect full state-of-the-art security in such a case is probably not realistic. At some point in the past, someone set up this server and wrote a script to control one part of the production. Later, additional servers and devices were added to control the production.
Complexities now arise in tasks like security patch management because we have partly unsupported OS in a productive environment. A proper risk management is to be setup and maintained here. Complexities also rise from the fact that old hardware is unable to support new and more advanced password requirements in the company policy.
The cloud approach
When a process becomes overly complex, it’s only natural that we should try to simplify it. Instead of having many different hardware platforms, devices, operating systems, databases and applications, try reducing them to a few of each type. Standardization is a strong approach to reduce complexity.
Through standardization, another concept starts to make sense: automation. Standardization makes it easier to automate IT security for many servers and devices. This also reduces the staff needed to maintain the environment. Cost is very often a driving factor for this type of change. Instead of manually installing security patches on diverse operating systems, middleware and applications can do the job just as effectively. In a regularly changing environment, automated detection of a few standard operating systems and automated patching of the many hundred or thousand servers can promote significant cost savings.
Finally, there is the underlying infrastructure and hardware. This given infrastructure is able to support a certain and defined level of IT security due to limitations of appliance hardware and software capabilities. Virtualization sometimes helps to better address necessary software updates, which provides enhanced IT security.
Integrating traditional IT and cloud
There is no easy and painless way to migrate traditional IT solutions to the cloud. Similarly, there are inherent challenges to running parallel workloads in traditional IT while using cloud solutions in a hybrid environment.
There is a master plan needed to migrate existing workloads to cloud. The present mode of operation (PMO) and the future mode of operation (FMO) with the respective IT security policy has to be clearly defined. Areas that are relatively independent from others are more easily migrated to the cloud.
A thorough inventory of existing hardware, software, applications and dependencies is needed before such a shift can take place.
Having a good understanding of the target environment (FMO) is essential. What are the current IT security and regulatory requirements to ensure compliance with in PMO? And which regulatory frameworks will become larger focus areas in the near and mid-term future?
Traditional and cloud-based IT must converge seamlessly in order to minimize risks of security exposure and increase regulatory compliance in hybrid cloud solutions.