Securing virtual machines: Considerations for the hybrid cloud
With enterprises’ growing interest in adopting the hybrid cloud, Cloud Service Providers (CSPs) want to develop premium cloud offerings that fuel the rate of this adoption to increase revenue opportunities.
Many people don’t realize that a majority of today’s data security solutions were designed for physical ecosystems rather than virtual environments. New technologies are needed to address concerns for hybrid cloud security, providing assurances that cloud-hosted workloads are protected from other tenants, outside threats, and cloud administrators. In this article, we’ll look at several important considerations for assessing a security solution for your hybrid cloud environment.
Choose a solution that minimizes IT risk
The better a solution integrates into your current environment, the lower the risk. The result? Higher acceptance not only by the IT team, but also, by other stakeholders such as the users of workloads in the cloud or the management team you need to approve acquisition of the solution. Risk is minimized through two factors: simple deployment and use of existing knowledge, tools, and processes.
Let’s look at deployment first. Your IT team doesn’t need a solution that introduces more complexity to the existing infrastructure. A solution that provides deployment templates, and/or uses Microsoft Active Directory group policy and/or configuration management tools reduces the time and effort involved in deployment and support.
IT professionals understand that innovative solutions are more readily accepted if they leverage knowledge, tools, and processes that your team is already familiar with. As with deployment, a new solution that integrates into the existing environment minimizes the load on your IT team in terms of the commitment to specialized knowledge, time, and costs.
Choose a solution built on technologies designed for the cloud
The conventional security models we’re familiar with don’t work in the cloud where physical perimeters and access are not possible. The cloud’s shared, multi-tenant nature requires solutions designed for this environment.
An important aspect of data security is provided by encryption, which today, has become a commodity. Windows BitLocker, for example, is a native OS encryption technology widely used by enterprises. However, originally designed for physical machines, these native encryption technologies often don’t work in the cloud where machines are virtualized and administrators no longer have direct physical access to them.
A solution that focusses on enabling proven and widely-accepted technologies such as BitLocker for the cloud enables enterprise IT to address data security concerns with confidence, and realize the potential of the cloud. By leveraging native technologies already integrated with operating systems, enterprises know that their security solutions will continue to work and remain compatible with their applications as operating systems are updated.
Choose a solution that gives you full control
A critical consideration when assessing cloud security is ownership and control of encryption keys. We can’t emphasize enough that only you, as the data owner, should hold these. Here’s why:
- Your data in the cloud can be accessed only with its encryption keys. No cloud administrator, other tenant, or outsider can access your data without the keys.
- If you run trial applications in the cloud or move to a different cloud, residual data may be left behind. Unlike physical environments, you can’t destroy or decommission the cloud storage where your data resided. As long as you control the encryption keys, residual data in the cloud is never accessible to anyone but yourself.
Given the importance of encryption key ownership, ensure that your encryption solution lets you choose your own key management approach and store keys within your enterprise. Many options are available, including use of key managers, many of which support the Key Management Interoperability Protocol (KMIP) and Microsoft Active Directory. To reduce the time required to manage your cloud environment, your security solution should also embrace automated features such as key management.
In addition to controlling your encryption keys, it’s important to control operation and access to virtual machines (VMs) running in the cloud. Because you don’t want your IT team dealing with the overhead of approving every VM reboot, look for a solution that allows pre-authorized boot processes only when existing security policies are met. This approach allows authorized VMs to boot and obtain encryption keys without manual intervention while ensuring that no VM can boot if security policies are not met.
Choose a security solution that gives you cloud agility
Given the importance of securing workloads you choose to run in the cloud and controlling encryption keys, choose a solution that offers full visibility into workload security across the hybrid cloud environment.
Many organizations migrate on-premise workloads to the cloud over time, as appropriate. With the growth and availability of more clouds with differing business models, you may find that different clouds are suitable for various business requirements, such as data sovereignty or cost.
Regardless of how your cloud environment is created, leveraging a common security management platform provides the information you need, at a level of detail you choose, with a convenient, single-pane-of glass view, all while keeping TCO in check.