Hybrid IT services in the cloud age: What CISOs should do now

To keep enterprise IT secure, chief information security officers must fit cloud services into risk-management and governance frameworks. Here's how.

Delivery of hybrid IT services is the practice of providing IT services from a mix of internal and external sources: company data centers, colocation facilities, managed hosting and the external private cloud, and the public cloud. Companies might not realize it but, as Nemertes Research's enterprise technology benchmark data shows, nearly all of them embrace hybrid IT services delivery now: 97% make use of software as a service (SaaS), 40% make use of public infrastructure as a service (IaaS), 24% use public platform as a service (PaaS), and many make use of various flavors of managed hosting and hosted applications.

Some pieces of the puzzle, like colocation, are well understood and fully incorporated into most companies' security posture and processes. Others, such as SaaS and public IaaS, are less familiar and understood, and as a result they are less often treated in a manner consistent with internal resources. (Consistent with does not mean identical to.) This can work both ways: Security policies might require greater security whether it's necessary or not (e.g., encryption of data in the cloud that would never warrant it on internal resources). Or policies can leave gaps (e.g., failing to require a provider audit of the use of administrative access to company data in a cloud environment).

Companies of all sizes and in all industries plan to increase their use of cloud resources to save money and increase agility and to focus internal resources more strategically. In order to continue to expand the use of external resources, especially those in the public cloud, enterprise IT security teams must fully integrate security policies for hybrid IT services with the rest of their security policies.

To achieve this objective, the CISO should lead the following four practices:

Drive security practices with a unified security policy

In the past, security architects traditionally adopted a perimeter-based approach to protecting an organization's internal resources from external threats. Today, it's widely understood that the perimeter-based approach is ineffective. The bright, clear distinction between "safe inside" and "dangerous outside" no longer exists: Inside and outside both have to be presumed dangerous (whatever inside means in an age of mobile devices and work-anywhere employees). Simultaneously, the number and variety of "outside" folks who are not only not dangerous but actively trustworthy -- partners and suppliers, for example -- continues to grow.

The increasing number and variety of cloud services only serves to further blur the lines. Focusing on silos of protection and threat is ill suited to an environment increasingly characterized by zero-day compromises and multilayered, multimode attacks.

Most organizations have security that's composed of many systems managed separately.

What's needed instead is a pervasive protection strategy. Pervasive protection takes a holistic view and deploys an interconnected ecosystem of products and services to provide a coordinated defense. Strong identity management and a unifying set of security policies should be at the center of such an ecosystem. Moreover, the ideal pervasive-protection architecture requires a policy engine that can automatically push policy changes out to layered point-protection tools, ensuring consistency and speed in response to changing needs. With all tools, whether in-house or in the cloud, under the direction of a unified policy, IT can be sure that protection is consistent independent of where a service currently originates.

Pervasive protection coordinates defenses and drives a more effective and mature environment.

Bring NOC and SOC together

Event response and root cause analysis are key components of operations, no matter whether the problem is with cloud, server or network: What are the incidents that indicate a problem? When did they start? What happened to cause them?

Unfortunately for the separate security operations center (SOC) and network operations center (NOC), many events are inherently ambiguous:

  • A server, in-house or running in IaaS, can be brought down by an operating system or application problem, a worm, or a denial-of-service attack (DoS).
  • A SaaS application performance problem could be the result of malware-driven traffic spikes, Internet connection congestion or provider-side issues.
  • A network failure can arise from hardware failure, misconfiguration, DoS, component compromises or cable cuts.

The obvious question is, How can you tell which kind of problem you have at the outset? The unfortunate answer: You can't.

If you don't know what the root cause is, how can you assign the problem to the right team for resolution? IT staff are forced to prejudge problems, with the inevitable result that problems will sometimes land with the wrong team for resolution, that they will be ping-ponged among teams as they evolve and that redundant root cause analysis will take place.

With the convergence of symptoms and causes and independent of the intermingling of in-house and cloud resources, it is clear that triage is triage and initial problem identification is common across domains. To have consistent and robust security in a hybrid IT service environment, problems with externally sourced services have to be treated like problems with internally sourced ones during triage and identification. Ideally, then, there will be a converged operations staff with one team doing all initial diagnosis (and limited resolution) during the most mercurial phase of event response. The triage team will have broad, basic skills across all three domains: networks, applications and security. As problems escalate (tracked through a shared ticketing system) in-house responders will diverge and be more highly skilled, specialized and expensive. Problems with cloud services will escalate out to providers' service desks. This optimizes response times, use of resources and effectiveness of response, both during the event and in the post-mortem learn-and-refine process.

Enlist allies outside IT

IT uses hybrid IT services to improve its speed and responsiveness to business needs, reducing the security risk that occurs when business units bypass IT and go straight to the cloud. But making that effort is no guarantee that business units will play by the rules. For that reason, IT must engage the legal, procurement and finance departments. IT needs them to become watchdogs for the organization as a whole: To better manage risk (both operational and security-driven), these groups must ensure no cloud contract is signed and no money spent on cloud services without IT and security reviews that follow established industry best practices.

This way, even when IT cannot meet the need fast enough, it can make sure that the organization as a whole understands the technological parameters and security implications. For example, the chosen cloud service might not be useful without full integration with an in-house system, and the business unit pushing for it might fail to consider the cost of that integration. Or a cloud service might by default store information wherever it is most efficient (from a network perspective), but compliance requirements imposed on the organization might make storage inside or outside some geographic locations unacceptable, and the provider might not have any mechanism by which the organization can define or enforce such restrictions.

Get formal about assessing providers and workloads for the cloud

The spectrum of choices available for meeting a service need in the hybrid service-delivery world spans everything from bring your own data center (BYODC) to SaaS.

The sourcing spectrum: from BYODC to public and private external cloud services (IaaS, PaaS and SaaS).

Just as it is in managing a financial portfolio for an individual, it is important that IT's sourcing portfolio match the organization's "lifestyle" with respect to the key factors in a sourcing decision: risk, cost, agility and control. To be faster and more consistent in making such choices, IT should develop a decision-support tool. One way to map out the decision is to construct a strategy spectrogram by laying out different risk, cost, agility and control factors as opposing pairs -- "low tolerance for downtime" vs. "high tolerance for downtime," for example -- then mapping the organization's tolerances, limitations and requirements.


Build a decision-support tool for sourcing choices.Figure 4. Build a decision-support tool for sourcing choices.

More companies are beginning to use hybrid IT service delivery and hybrid clouds. To ensure these services do not substantially increase an enterprise's risk posture, organizations must fit cloud-delivered services into their overall risk-management and governance frameworks. They should begin by choosing whether to place workloads in the cloud -- and if they do, they should select a way to vet the relevant providers and their services. Cloud needs to be woven throughout pervasive protection policies and incident response processes as well, if the organization is to be successful and responsible in its use of cloud.

Dig Deeper on Hybrid and Private Cloud Computing Security