Whether you’re talking about Russinovich’s ambitious idea of cloud consistency, cloud services that analyze or the more common stretch and burst models that can move your applications or your data into the cloud for extra capacity and performance, it’s the seamless part that’s both very appealing to businesses – and where you need to be thinking about security.
That’s especially true because hybrid cloud assumes that your on-premises system is highly automated and standardized – whether you’re using private cloud systems you build with tools like the Windows Azure Pack and the upcoming Azure Stack and OpenStack designed to give you consistency with public clouds, or “converged infrastructure” like Microsoft’s Cloud Platform System, VCE’s VBlock racks, Cisco’s UCS or pre-built systems from Dell and HP.
Although some VCE customers are looking for a private cloud for data security and privacy, hybrid cloud is what most of them are investing in says VCE’s EMEA (Europe, the Middle East and Africa) CTO Nigle Moulton. “The hybrid model, where you take classifications of data and keep some of them internal to your company, but some you are more relaxed about and are happy for them to sit in more public infrastructures, is the majority of what we see people investing in.”
Increasingly, on-premises systems are designed for hybrid cloud. SQL Server 2016 builds cloud bursting right into the server, and an increasing number of orchestration services make it simple to migrate virtual machines into the cloud when you need more capacity.
If you use Microsoft’s StorSimple storage appliance, you get an “infinite” storage area network. It looks like a SAN to your on-premises infrastructure, but as well as deduplication, compressing and tiering you’re working set of data, it automatically backs up snapshots and tiers cold data to your choice of clouds (Azure, Azure Government, Amazon S3 or OpenStack clouds). The data is encrypted, and you can connect it using ExpressRoute, but you’re still moving data to the cloud without human intervention.
That automation and the seamless, low-friction connection makes it easy to move data and workloads to and from the cloud without anyone making a specific decision every time. And that means you need to have your security policy clearly set out in advance, and applied automatically, or you may find you’re moving something to the cloud that you don’t want to have there.
Security through Expertise
“There needs to be a learning process, and obviously the things you want to learn with are the lowest risk things, which give you a great return on investment as you learn,” Russinovich suggests. “You want to learn about how much does it cost me, what are the best practices, how do I figure out security without putting the whole business at risk.” And while you’re learning, he points out, you can also be saving money, and getting real experience with cloud costs.
“Do I move the crown jewels first? That doesn’t make any sense. But I can move my devtest environment to the cloud and immediately I get a return, because if my devtest is on premises it’s occupying infrastructure and more than half the time it’s just sitting there and I’m paying for it. When I move it to the cloud I can learn about hybrid network connectivity, as I connect the on-premises environment to the devtest resources in a secure way to keep them off the Internet, because I don’t want even that exposed. I can also learn how to modernize my applications as I move them. My devtest on premises is a statically configured environment; when I move it to the cloud I can have it scale up – or scale in. I can have it completely shut off at 5 p.m. when the developers go home.”
Russinovich goes on: “You can take advantage of storage connectivity. Why do I want to buy a new SAN to store data that I’m just backing up? Toss that up in the cloud. And while I’m figuring out how to best secure that data, I can have that data encrypted as it moves to the cloud. So there’s low risk; even if I did screw up and that data leaks, it’s not putting the business as risk.”
As you work through connecting those lower-risk systems to the cloud, you learn hybrid cloud strategies, Russinovich points out. “New projects that are low risk, like customer-facing sites and marketing campaign things, why put that on premise? For new projects like that, you can move to the cloud. But all that requires understanding hybrid.”
You also need to understand how to enforce security and compliance in a world where you don’t have group policy, and where application developers rather than network architects are managing access controls.
Then you can work your way up to more complex hybrid models where you build the front-end of an application in the cloud but keep the data on premise. “Often, the more sensitive data is the most complicated to move, because so much of my internal company ecosystem is built up around that data being in a certain place and accessed a certain way, and it’s going to cost a lot of money to move everything,” Russinovich points out. “It doesn’t make sense go after the hardest things first; start at the fringe and work your way in.”
To make this prioritization work you need to do data classification, and look at the complexity of your applications and the sensitivity of the data they handle, categorizing which of your applications deal with confidential and proprietary information.
That’s easier than it used to be, points out VCE’s Moulton, because regulatory frameworks like HIPPA, Sox and Basel 3 haven’t just made enterprises take security seriously. “They’ve also established frameworks under which data becomes classified. There’s the recognition that I’ve got a data set that is valuable, the IT group have given me a framework and some classification tools – and here’s a regulator that will regularly audit me to see I’m in compliance.”
Changes in enterprise governance models make hybrid cloud easier, he suggests. “They’ve changed sufficiently that security is no longer an afterthought. It’s something they build into their risk models and their risk assessment in a way that takes account of what the security implications are, and how you deal with them.”
Use that when choosing where data and applications will live. “You have to do a risk assessment on whether that place is something you want to wholly own or whether it is somewhere you build a service level agreement with an organization that is massively penalized if that risk assessment proves to expose the company to risk.”
By Mary Branscombe