• United States



Contributing writer

How secure is the hybrid cloud?

Aug 26, 201510 mins
Cloud Security

The term hybrid cloud is used loosely, which is probably why so many companies say they're planning to adopt it. If you’re planning a hybrid cloud strategy, the security questions you need to think about may not be the ones you’d expect.

hybrid cloud
Credit: Thinkstock

Hybrid cloud is IT’s flavor of the year. The C-level executives in Avanade’s global Hybrid Cloud study are particularly optimistic: 75 percent believe it should be the main area of focus for their company this year; 72 percent expect to adopt hybrid cloud by 2018; and 76 percent expect the majority of their applications and services – including some critical systems like data and analytics, office applications and customer-facing services – will be running in a hybrid cloud environment within three years.

Microsoft’s Mike Neil – a corporate vice president in the Enterprise Cloud Group – gives similar figures, saying two-thirds of their enterprise customers are looking at hybrid cloud. He quotes a Garner report where three-quarters of enterprises “see hybrid cloud as delivering business value they want” – a number he says has shifted very rapidly. “We rarely get customers saying ‘I only want to be in the public cloud’ or ‘I only want to be on premise’,” he explains. “The idea of using some services on premise and some from the cloud and some from the cloud is becoming the dominant customer viewpoint.”

In fact, 65 percent of companies in the Avenade study said if they could, they would downsize all their data centers tomorrow in favor of public or hybrid cloud-based solutions. That’s not just obvious cost-cutting; 61 percent believe cloud, especially hybrid cloud, is a more secure way of hosting their company’s applications and data than on-site data centers.

Again, customers are making those same bold pronouncements to Microsoft, says Mark Russinovich, the CTO of Azure. “Most customers are saying ‘we’re shutting down data centers, we’re consolidating data centers, everything that we do now is in the cloud.’ I’ve seen some pretty amazing positions from Fortune 500 companies that are incredibly aggressive, saying they’ve got a plan that in two years’ time they’re not going to have anything on premises.”

The ambition is reasonable, he believes. “There are costs and operational management issues and other considerations that make it completely responsible to say ‘by the end of next year everything will be in the cloud’.”

[Related: 5 things CIOs need to know about hybrid clouds]

But equally, the level of confusion in the Avenade survey suggests some of the optimism isn’t realistic. Over half of those executives didn’t know what distinguishes hybrid cloud from simply using cloud services alongside their on-premise systems – like running virtual machines on IaaS or adding Skype for Business Broadcast meetings to the unified communications you get from your Lync servers.

Taking a few steps back to figure out what you mean when you talk about hybrid cloud, therefore, may not only be smart, it may be necessary to figure how to proceed. 

Understanding hybrid cloud

“We use the term hybrid pretty broadly to mean that part of your business is on premise and part of it is in the cloud,” points out Russinovich.

“Hybrid can even come into play when you’re talking about using public cloud services, like the Office 365 support for ExpressRoute,” Russinovich continues. “That’s the ability to put your Office 365 endpoints inside your own network infrastructure so that you’re not travelling over the public Internet, you’re travelling over your network service provider lines into our cloud. In that case, yes, I’m consuming something that’s purely in the cloud but I’m connected in to my on-premises infrastructure.”

The more integration, the closer to hybrid cloud you are, he suggests. “Where we get specific on Azure and what I am focused on, is supporting connecting your enterprise environment with the cloud in a seamless way – networking-wise and also in terms of consistency. We’d like to make it possible for you to deploy applications on premise and in the cloud, written to the same app models – cloud application models – and also manage them the same way.”

Hybrid cloud is also a far easier way to take advantage of services that only work at cloud scale, like machine learning and predictive analytics that you want to apply to systems that aren’t in any cloud.

Microsoft is making something of a specialty of this, with services like Clutter and Delve prioritizing email and documents. Power BI offering historical business intelligence and real-time analysis of data from both cloud services and your own SQL Server apps; Azure Active Directory alerting you to stolen credentials or simultaneous logins to managed devices from physically distant places; or the new Operations Management Suite that analyzes your server setup and warns you about potential attacks.

Instead of buying and running your own large-scale hardware, or even using a public cloud, and setting up and maintaining a complex system like a Hadoop cluster, you buy a cloud service that runs against on-premises systems. “It’s a nice balance,” suggests Neil. “You get the value on premise but you’re not having to take on that burden of responsibility.”

Make no mistake: hybrid cloud is coming

Whether you’re talking about Russinovich’s ambitious idea of cloud consistency, cloud services that analyze or the more common stretch and burst models that can move your applications or your data into the cloud for extra capacity and performance, it’s the seamless part that’s both very appealing to businesses – and where you need to be thinking about security.

That’s especially true because hybrid cloud assumes that your on-premises system is highly automated and standardized – whether you’re using private cloud systems you build with tools like the Windows Azure Pack and the upcoming Azure Stack and OpenStack designed to give you consistency with public clouds, or “converged infrastructure” like Microsoft’s Cloud Platform System, VCE’s VBlock racks, Cisco’s UCS or pre-built systems from Dell and HP.

Although some VCE customers are looking for a private cloud for data security and privacy, hybrid cloud is what most of them are investing in says VCE’s EMEA (Europe, the Middle East and Africa) CTO Nigle Moulton. “The hybrid model, where you take classifications of data and keep some of them internal to your company, but some you are more relaxed about and are happy for them to sit in more public infrastructures, is the majority of what we see people investing in.”

Increasingly, on-premises systems are designed for hybrid cloud. SQL Server 2016 builds cloud bursting right into the server, and an increasing number of orchestration services make it simple to migrate virtual machines into the cloud when you need more capacity.

If you use Microsoft’s StorSimple storage appliance, you get an “infinite” storage area network. It looks like a SAN to your on-premises infrastructure, but as well as deduplicating, compressing and tiering your working set of data, it automatically backs up snapshots and tiers cold data to your choice of clouds (Azure, Azure Government, Amazon S3 or OpenStack clouds). The data is encrypted, and you can connect it using ExpressRoute, but you’re still moving data to the cloud without human intervention.

That automation and the seamless, low-friction connection makes it easy to move data and workloads to and from the cloud without anyone making a specific decision every time. And that means you need to have your security policy clearly set out in advance, and applied automatically, or you may find you’re moving something to the cloud that you don’t want to have there.

Security through expertise

“There needs to be a learning process, and obviously the things you want to learn with are the lowest risk things, which give you a great return on investment as you learn,” Russinovich suggests. “You want to learn about how much does it cost me, what are the best practices, how do I figure out security without putting the whole business at risk.” And while you’re learning, he points out, you can also be saving money, and getting real experience with cloud costs.

“Do I move the crown jewels first? That doesn’t make any sense. But I can move my devtest environment to the cloud and immediately I get a return, because if my devtest is on premises it’s occupying infrastructure and more than half the time it’s just sitting there and I’m paying for it. When I move it to the cloud I can learn about hybrid network connectivity, as I connect the on-premises environment to the devtest resources in a secure way to keep them off the Internet, because I don’t want even that exposed. I can also learn how to modernize my applications as I move them. My devtest on premises is a statically configured environment; when I move it to the cloud I can have it scale up – or scale in. I can have it completely shut off at 5 p.m. when the developers go home.”

[Related: Why CIOs need to embrace new norms of the hybrid cloud]

Russinovich goes on: “You can take advantage of storage connectivity. Why do I want to buy a new SAN to store data that I’m just backing up? Toss that up in the cloud. And while I’m figuring out how to best secure that data, I can have that data encrypted as it moves to the cloud. So there’s low risk; even if I did screw up and that data leaks, it’s not putting the business as risk.”

As you work through connecting those lower-risk systems to the cloud, you learn hybrid cloud strategies, Russinovich points out. “New projects that are low risk, like customer-facing sites and marketing campaign things, why put that on premise? For new projects like that, you can move to the cloud. But all that requires understanding hybrid.”

You also need to understand how to enforce security and compliance in a world where you don’t have group policy, and where application developers rather than network architects are managing access controls.

Then you can work your way up to more complex hybrid models where you build the front-end of an application in the cloud but keep the data on premise. “Often, the more sensitive data is the most complicated to move, because so much of my internal company ecosystem is built up around that data being in a certain place and accessed a certain way, and it’s going to cost a lot of money to move everything,” Russinovich points out. “It doesn’t make sense go after the hardest things first; start at the fringe and work your way in.”

To make this prioritization work you need to do data classification, and look at the complexity of your applications and the sensitivity of the data they handle, categorizing which of your applications deal with confidential and proprietary information.

That’s easier than it used to be, points out VCE’s Moulton, because regulatory frameworks like HIPPA, Sox and Basel 3 haven’t just made enterprises take security seriously. “They’ve also established frameworks under which data becomes classified. There’s the recognition that I’ve got a data set that is valuable, the IT group have given me a framework and some classification tools – and here’s a regulator that will regularly audit me to see I’m in compliance.”

Changes in enterprise governance models make hybrid cloud easier, he suggests. “They’ve changed sufficiently that security is no longer an afterthought. It’s something they build into their risk models and their risk assessment in a way that takes account of what the security implications are, and how you deal with them.”

Use that when choosing where data and applications will live. “You have to do a risk assessment on whether that place is something you want to wholly own or whether it is somewhere you build a service level agreement with an organization that is massively penalized if that risk assessment proves to expose the company to risk.”