Securing data centers on the road to a multicloud environment

null

The two trends with the most momentum in IT have to be cloud and security. And interestingly, the one makes the other more difficult. 

When it comes to security, there are a few things to consider. Certainly, the days when strong perimeter security was enough are long gone. But how do companies provide any perimeter security when cloud and multicloud mean that the perimeter of the infrastructure is somewhat (and literally) nebulous and potentially changing? And how should companies reconcile a drop in control and visibility as workloads move off premises? Finally, and perhaps most importantly, don’t cloud and multicloud represent an expanded attack surface at a time when managing the existing security umbrella is already difficult?

Yes, security is challenging. But there are things that enterprise IT should be considering as they embark on the multicloud path.

Perimeter security might not be enough, but it still matters

There is no question that the drawbridge-moat style of securing infrastructure is ageing. But it is also true that there must still be some perimeter security in place. In the classic data centre sense, this is why network teams deploy network security in the form of firewalls with next-gen capabilities. 

This same model has a place in the cloud. As teams deploy pools of resources, it is critical to front-end them with a secure gateway. A virtual private cloud (VPC) should operate with many of the same security best practices as a physical data centre. And that means deploying a capable security device—albeit a virtual one—in that gateway role. 

Of course, in addition to providing next-gen firewall capabilities, this virtual device is also a key element in ensuring that all traffic between data centres and clouds is encrypted. 

Micro segmentation has a place outside of the data centre

Most security-minded people are familiar with the emergence of micro segmentation as a means of beefing up security. But segmentation is more than a data centre imperative. 

In a multicloud world, the definition of east-west traffic expands to cover off any traffic between workloads anywhere in the enterprise. For example, micro bursting—using public cloud resources to temporarily boost application capacity—means that workloads might drive traffic dynamically between the private data centre and one or more public clouds. The security requirement does not drop as the traffic leaves the data centre. And that means that tools like micro segmentation must extend beyond the data centre into the public cloud. 

In fact, as edge computing continues its rapid adoption, companies will find that workloads will run at the network edge as well. Movements like IoT, for example, will favour distributed clouds in some instances, meaning micro segmentation solutions will not even be confined to the (private and public) data centre realm. Indeed, remote sites (both campus and branch) will also need to be folded into the multicloud security mix.

From bare metal servers to containers

Security policies will also need to be more granular. It is not enough to enforce at aggregation points like the data centre edge, the VPC gateway, or the access port on a top of rack switch. As workloads diversify, enterprises will need to have a means of securing everything from bare metal servers to virtual machines to containers, across both private and public environments.

Minimally, this places additional requirements on security architectures. But it also forces an enterprise-wide rationalisation of security capabilities. In this case, the diversity of a multicloud environment represents an increasingly complex distributed security problem. 

Diversity is the enemy

Security environments are more complex and cybercriminals are more determined than ever, yet organisations are utilising security solutions built on standalone security tools, resulting in vendor sprawl and ineffective security strategies. Organisations now recognise that the ability to integrate disparate security technologies is the main challenge to achieving an effective security automation architecture. According to a recent study conducted with Ponemon Institute, 59 per cent of respondents believe that their organisation needs to streamline its number of vendors.

But what happens when the operational load exceeds the capacity of an enterprise? During booming economic times, the problem is already present. If the economy slows down or retracts, enterprises that have not explicitly designed for operational efficiency will find themselves facing a difficult decision: do they keep a security measure in place or meet Opex targets?

Enterprises should be looking, wherever possible, to a common means of administering security over diverse environments. The push for multicloud has brought with it a movement towards multicloud management platforms. These platforms represent a common means of specifying and ultimately enforcing security policy, allowing enterprises to rise above cloud-specific solutions. 

This has the added advantage of unifying security policy over a diverse set of resources. It should not matter whether an application resides in a private data centre, or in public cloud A or B. Regardless of where the resource is, the security requirement ought to be the same. Using a common management approach to ensure that is the case will ultimately bring both stronger security and operational advantage. 

Not everything starts with multicloud

It is certain that most enterprises will begin their path to multicloud with a lightweight move to a single cloud. If, in that initial planning, security is either bolted on or designed with a single cloud in mind, enterprises will find themselves in a difficult position when it is time to scale. But perhaps most importantly, enterprises need to consider the operational aspects of security early on. While it can be straightforward to deploy incremental tools and solutions in support of new challenges, operations tends to manoeuvre like a large ship at sea. It is better to survey the horizon for looming obstacles than to be caught needing to adjust quickly.

Michael Bushong,  Vice President of Enterprise and Cloud marketing, Juniper Networks
Image Credit: Everything Possible / Shutterstock