The transition of the data center from physical infrastructure to virtualized servers to software-defined everything is yielding another form of heterogeneity, disparate infrastructures, and a distinct set of security challenges for CISOs. Complexity is, after all, an enemy of security because the need to use multiple security solutions to set, automate, and monitor creates inconsistencies and seams for adversaries to exploit. Such complexity also drives up the operational cost associated with procuring, managing, and developing competency in disparate tools for disparate infrastructures.
Frankly, if I were a CIO of a pre-digital age company with a strategic imperative to get more agile by leveraging cloud computing, I’d have a hard time navigating public cloud, private cloud, and micro-segmentation options. Pile on top of that different IaaS/PaaS platforms and the need to vet AWS, Azure, and VMware vCloud Air use cases beyond DRaaS to develop a cloud computing roadmap. And just as my CISO is getting more comfortable with the cloud, s/he will certainly be conflicted between the promise of micro-segmentation solutions such as NSX—now with cross vCenter support—to cordon off and protect certain applications, and the challenge of employing consistent security processes and tools across heterogenous clouds. As such, in a multi/hybrid-cloud context, security solutions that unify the security of disparate infrastructures should be front and center. Some of the solutions I saw at VMworld last week that help CIOs and CISOs strive to bring some consistency to hybrid environments fall into a few core categories:
- Network Security Policy Management and Orchestration: Solutions that automate the management of network security controls such as firewalls are high on the list of solutions needing to support physical, virtualized, and micro-segmented environments for consistency. These products also need to be smart enough to know when to instrument either the layer 2/3 firewall native to NSX or a third-party, layer 7 NGFW from vendors such as Fortinet and Palo Alto Networks. Vendors such as AlgoSec bring their firewall management capabilities to NSX while competitor Tufin touts a business application-driven approach that further automates network security policies across hybrid environments.
- Configuration Auditing for Compliance Automation: Core to consistency across hybrid clouds is establishing baseline configurations for both compliance and security. Such solutions will scan for drift and vulnerabilities in workloads independent of location. Cavirin is a relatively new player that has baked compliance regulations into its product to provide ratings and recommendations of workloads across public and private clouds.
- Continuous Monitoring: Starting with the discovery of workloads across hybrid infrastructures, a continuous monitoring solution will establish a baseline of normal activity from which anomalies are detected. Catbird employs such an approach for netflow between workloads in trusted zones (inter-workload), while Endgame takes a process-centric approach (intra-workload) to detecting anomalies on and between workloads, respectively, across disparate infrastructures.
Most companies will live in a hybrid world for the foreseeable future, arbitrating what goes where with respect to which apps and associated data sets stay on-premises, which go to the cloud, and which run in a micro-segmented network. IT has a checkered past with heterogeneity—employing a multi-vendor storage strategy when provided pricing leverage, while applications purchased by business units dictated platform support. Heterogeneous infrastructures are arguably more complicated because we’re talking about the entire stack. The hybrid nature of cloud computing will be one dimension of ESG’s forthcoming cloud security research project, with another being the need for visibility, control, and governance around the use of cloud delivered applications. Security products need to keep pace not only with the adversaries, but also with the fundamental shifts in infrastructure and end-user driven application usage, which is yielding the hybrid, heterogeneous infrastructures of today and tomorrow.