Hybrid cloud security involves software-defined networking (SDN), virtualization, and application support at all layers of the service mesh across multiple data centers and hardware devices. Companies increasingly seek “single pane of glass” administration for hybrid cloud networking that includes all of the features of traditional network administration and data center management software with improved real-time data packet analytics. Hybrid cloud security must operate at all levels of the distributed network and include support for new, innovative software platforms that have not been thoroughly tested in production. Hybrid cloud security poses unique problems for network administrators that are best addressed through tools and utilities that are integrated within the lanes of SDN orchestration through embedded SIEM applications implementing real-time data packet scanning, monitoring, and network analytics.
IT professionals in complex enterprise organizations choose hybrid cloud organization because it supports the de facto means of operation for thousands of employees or multiple software development teams in action today. Due to the way that the current IT landscape operates, business managers must evaluate between public cloud hosts on the basis of cost for commodity hardware and support for proprietary or open-source software services. Senior business management has swiftly adopted cloud outsourcing for the majority of public-facing software services across the Fortune 500 in the last ten years. However, most of these senior decision-makers still will not permit highly sensitive data and files to be remote-hosted outside of an on-premises data center. The requirement to support private cloud or on-premises data center hardware is the primary characteristic of hybrid cloud architecture, but this form of networking presents unique issues and challenges to security professionals.
Many senior business executives believe that the social engineering risk outweighs public cloud platform benefits and still will not sign off on transferring their most critical or sensitive data and business processes to a remote host. As the social engineering risk cannot be resolved, private cloud and on-premises data center facilities need to be managed increasingly in simultaneous integration with multiple public cloud resources and SaaS products in hybrid cloud constructs.
In 2018, Kubernetes announced CVE-2018-1002105, a critical security flaw based on privilege escalation that permitted malicious users to control a shared Linux kernel in production using API calls. This issue affected every distribution and runtime environment of Kubernetes in production, requiring immediate patching. Researchers are now working to develop better micro-segmentation security features for containers. The differences between container virtualization and hypervisor virtualization lead to particular issues and challenges in hybrid cloud security operations addressing this layer of the service mesh.
After the decision to adopt hybrid cloud architecture has been established, systems administrators are faced with the need to choose third-party vendor software to orchestrate the network from the existing solutions available in the global marketplace. On a practical level, this means the choice between proprietary licensed hybrid cloud orchestration platforms from IT majors and startups, or the adoption of open source solutions through trained staff and integrator companies. Each hybrid cloud orchestration platform and solutions provider has unique advantages and disadvantages, where security needs to be a major factor used in the analysis of each microservice solution before adoption.
Best practices in hybrid cloud security implement a multi-tiered approach to protection based upon interwoven security information and event management (SIEM) products within the service mesh. Modular hybrid cloud security systems operate at the hypervisor, operating system, web server, database, and application layers with network diagnostics based on real-time scanning, monitoring, and analysis of data packets through web traffic or other I/O transfer requests. Hybrid cloud solutions are orchestrated primarily through software platforms based on either hypervisor virtualization, container virtualization, or a combination of both.
VMware has pioneered a system of embedded security protocols that operate at the level of the hypervisor in production and create micro-segmentation in multi-tenant cloud environments. Micro-segmentation improves the isolation of VMs on multi-tenant hardware to prevent the lateral spread of attack vectors in the instance that a node becomes compromised by malware, worms, or unauthorized intrusions by hackers.
Micro-segmentation addresses the problem of privilege escalation which is considered to be the most serious security threat for running containers at scale in enterprise production.
Many security professionals recommend running containers within a hypervisor-driven VM environment for better isolation through micro-segmentation as a means to prevent potential privilege escalation. VMware products embed AI-informed malware, anti-virus, and bad request scanning at the level of the hypervisor for deep protection of hybrid cloud architecture in production through the NSX Distributed Firewall. The NSX Distributed Firewall is installed with ESXi on every VM managed by vSphere or vCloud products, integrating automated security alerts and event management with network analytics and reporting. NSX can also be integrated with Neutron in OpenStack as a Firewall-as-a-Service solution for increased hybrid cloud security.
Hybrid cloud security begins with physical access to the web servers which house data in the form of proprietary code, databases, storage files, records, archives, or other resources. Since, by definition, the hardware available in hybrid cloud architecture is distributed globally across multiple data centers, IT administrators are forced to adopt a “zero trust” policy towards all vendors. Encryption is the primary method that security researchers adopt to keep data safe in a “zero trust” environment such as that provided in hybrid cloud architecture. Encryption strategies need to be applied at every level of the service mesh to be all inclusive. This includes the encryption of OS and software code at the web server or “bare metal” levels, as well as data in transmission, remote storage, backend processes, etc. in order to build secure hybrid cloud models on vendor-agnostic hardware. VMware vSAN Datastore is used for enterprise database encryption, while VMcrypt Encryption is applied to cloud storage resources, backups, and archives.
Real-time packet scanning is a critical element of all network analytics which are increasingly being driven by AI and machine learning approaches to anti-virus, malware, and anti-DDoS defense systems. Edge servers are used to create DMZ regions with hardened isolation from on-site LAN resources. Web server security packages include multiple firewall layers embedded with the hypervisor, operating system, server distro, database, and application components that are extended through third-party software utilities implementing real-time data packet analysis. Network firewall rules can be implemented across SD-WAN and SDN resources by using cloud software-as-a-service plans from major IT vendors. The “single pane of glass” administration for hybrid cloud security includes automated SIEM responses with complex network analytics, system reports, and quarantine alert messages.
Attention to all layers of the service mesh is the most important feature of hybrid cloud security. At the webserver partition layer, companies primarily deploy hybrid cloud architecture using either hypervisor virtualization or container virtualization. Containers run a vastly scaled-down operating system in production that contains the most minimal set of driver packages for support. Container OS builds like NanoOS, RancherOS, Alpine Linux, CoreOS, etc. improve hybrid cloud security in production by reducing the available attack vectors to the kernel in multi-tenant environments. Automated patching for OS security updates speeds time to market for critical upgrades. Rolling OS security updates for web servers are integrated into most container management and VM orchestration software packages.
At the application layer, version control and CICD processes enable better code testing in advance of deployment that can be isolated in sandboxes and automated in production to ensure that bugs are not introduced which would cause unexpected web security flaws. DevOps tools like Selenium, Travis CI, and Cucumber introduce automated code testing into the software development lifecycle which improves hybrid cloud security for custom-built web and mobile applications. The huge number of microservices and interacting third-party software utilities on a single web server presents tactical issues to hybrid cloud security professionals which can be addressed on a meta-level through better isolation, micro-segmentation, and automated response generation by anti-virus utilities driven by AI/ML.
A hybrid cloud represents an integrated network deployment that spans one or more public cloud hosting environments while including simultaneous support for private cloud hardware. Over 90% of enterprise companies report that they will implement hybrid cloud infrastructure in their IT departments by the year 2020. Many complex organizations support thousands of brands with online domain properties that include both web and mobile applications. Software development for different departments and verticals is often operated by independent teams on competing public cloud service platforms due to the perceived advantages or disadvantages of each for web server, programming language, and database support. These same companies integrate SaaS products from hundreds of third-party developers in daily operations as part of employee productivity, sales, customer support, and manufacturing.
This organization of services creates a unique need for hybrid cloud security to protect data privacy in communications, financial records, and storage through multiple layers of interwoven firewalls, network monitoring services, and encryption. Backup, recovery, and disaster management procedures relate to business security and are built into hybrid cloud architecture by systems administrators who need multiple backups of databases, storage files, and software code versions. However, the proliferation of backup copies of data in multiple forms and versions, as well as across multiple data centers and facilities, creates unique security issues that need to be managed through a “zero trust” policy with encryption across all levels of the storage chain, including transmission of backups to third-party sites, secondary data centers, or alternative media. Chaos testing, fuzz testing, and penetration testing simulate potential systems breakdown in patterns that cannot be expected outside of real-time production environments. Businesses need to consider these methods alongside of automated CICD code testing with version control to address security issues within the software development lifecycle.
Hybrid Cloud Management
Cloud Computing Infrastructure