AP - Fotolia


Private cloud sprawl: How cloud consolidation can improve security

Vast private cloud infrastructure can be detrimental to an organization. Expert Ed Moyle looks at how and when to consider cloud consolidation to reduce cloud creep.

For most organizations, the adoption of cloud has been significant. Despite wide-scale use of public cloud in the enterprise today, private cloud deployment has primarily been the mainstay of large organizations. While some statistics suggest private cloud usage may be on the decline, there is still a legacy of private cloud capability left over from the past few years; it's not uncommon for some large organizations -- Fortune 500 firms, for example -- to maintain dozens of separate private cloud environments.

However, this can bring a number of potential security concerns. It can mean suboptimal or even inefficient use of resources when environments overlap in scope; it can mean security and maintenance headaches when multiple environments have subtly different, or in some cases, explicitly contradictory security controls; it can introduce architectural and performance challenges, and it can compound the effort associated with regulatory compliance.

As a consequence, it's important for organizations to get a handle on "private cloud sprawl." Making best use of resources -- and preventing negative consequences from coming to fruition -- means having an understanding of what private cloud environments are out there so a strategic decision can be made about cloud consolidation. In some situations, consolidation is desirable. In others, organizations may want to maintain more than one environment, but want to strategically reallocate what's hosted where. The decision should be made with precision and forethought rather than (as is often the case) because that's how things organically grew.

What creates private cloud sprawl?

No matter how the private cloud sprawl situation arises, it's important for security teams to understand ... whether so much private cloud is a benefit or a deficit to the security posture of the organization.

There are some people out there who are scratching their heads and wondering why and how an organization might arrive at multiple private cloud environments in the first place -- after all, isn't private cloud usually the most expensive of cloud models? Why would an organization want more than one? In reality, there are a number of ways this can happen. First, consider M&A activity; when organization A acquires organization B, they may both have a private cloud. Since it might take years for the two organizations to be integrated at an IT level, those environments will persist during that time period -- and likely beyond it.

Another way this can happen is when multiple, loosely coupled business units (for example, when those business units maintain separate IT support groups) each build out (or lease from a service provider) their own private cloud without each other's knowledge or for different purposes. This can happen when different geographic regions are supported by different groups, or when IT is handled in siloed fashion within each business unit.

Lastly, organizations might cultivate several private cloud relationships for a strategic purpose. Keep in mind that private cloud just means a cloud environment where the customer is the only tenant; a private cloud environment can reside at a cloud service provider (CSP). Sure, many are in house, but that isn't always so. Therefore, an organization might have one or more on-premises private cloud environments -- as well as one or more hosted outside the organization at a CSP or colocation.

Reduce and reuse?

No matter how the private cloud sprawl situation arises, it's important for security teams to understand that circumstances will dictate whether so much private cloud is a benefit or a deficit to the security posture of the organization.

We discussed some of the challenges above, but to illustrate the point that private cloud use can be beneficial, consider an organization that has multiple regulatory requirements pertaining to different sets of usage. For example, for a hospital that maintains a private cloud in-house for the clinical environment and an external one for its payment and billing systems, and that meets HIPAA in the clinical environment by using in-house resources, it makes sense since the hospital likely has deep expertise in that area. PCI, on the other hand, may not be a core competency. In this case, selecting an outside CSP that is vetted (e.g., it's on the approved service provider list) might have quite a bit of security and compliance value, and overall the hospital would be better served by having two private cloud environments.

Knowing when, how and if to consolidate private cloud environments is a tricky business. Many organizations fall into the trap of rushing to consolidate only to find out later that there are good reasons why they can't or shouldn't. To avoid that pitfall, organizations need quite a bit of data as input to make a strategic determination. They need to know:

  • That the environment exists
  • What's in the environment
  • What the security requirements are for its usage
  • What controls/processes are already in place in that environment today

How do you start consolidating private cloud environments?

As with many things, a prudent first step is discovery. Start by enumerating the private cloud environments your enterprise has in place right now. If yours is a large organization, there may be more than you think; you might need to do some legwork to ensure you find out about them all. Gathering this information by leveraging an inventorying exercise that's going on in your organization already, such as a business impact assessment (BIA) for business continuity planning, would be optimal. Since a BIA touches most of the business anyway, you can use it to simultaneously discover areas of private cloud.

Next, you'll want to enumerate the security-relevant considerations for each environment. Ask questions including: What's the regulatory context? What does the environment contain? What type of data is processed within the environment?

Again, for each environment, this might take some legwork; answering this will require that you understand what's in each environment. Unless your organization is great at keeping reliable inventories (most aren't), you'll need to do reconnaissance at each environment to get to a reliable list.

Lastly, map the security, support and business requirements against the security, support and business "features" provided by each environment. This means you'll need to understand enough about each environment to know what they are. It's possible that some service providers will tell you (and prove to you) this information upon request, but it's also possible that you'll need to do a bit of auditing to get to an answer.

These three sources of data should -- when combined -- give your organization the raw materials needed to make a strategic-level determination about whether consolidation is appropriate and, if it is, should help form your plan for how you will effect that consolidation. The cloud consolidation itself, though a long-term exercise, can then be planned out so that your organization is taking maximum advantage of resources. If your enterprise is considering putting applications in a private cloud, this information will also help it to make the decision that best fulfills its business needs.

About the author:
Ed Moyle is the director of emerging business and technology at ISACA. He previously worked as senior security strategist at Savvis Inc. and as senior manager at Computer Task Group. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.

Next Steps

Don't overlook these five security issues associated with private clouds

Curious about private cloud? Get the answers to your top questions here

Prevent sprawl in public cloud

Dig Deeper on Hybrid and Private Cloud Computing Security