With many companies considering to develop hybrid cloud environments for their DevOps, Tim Mackey and Boris Cipot from Synopsys Software Integrity Group, share their thoughts on the current developments of a hybrid cloud environment.
What are some of the key challenges faced by companies and CIOs when securing a hybrid cloud deployment?
Tim: Hybrid clouds by definition will have differing levels of security configuration within their underlying infrastructures. Minimising the impact of misconfiguration and data consistency are key items to consider when adopting any hybrid cloud initiative.
Of note, best practices for application security and cloud configuration will vary between public cloud providers and any private cloud implementation. Prior to migrating any application to a hybrid cloud, a full review of the application’s security expectations and threat model should be performed to ensure any implementation gaps in the hybrid strategy are properly accounted for.
What are the current pressure points CIOs are feeling around the security aspects of their hybrid clouds?
Boris: In my conversations with CIOs, a trend that I’m coming across is that the role of a CIO seems to be changing from that of a service provider into a role supporting the entirety of the organisation’s agile, fast-moving DevOps environment. Security is being perceived less frequently as a hurdle now that security has been proven, through DevSecOps practices, not to negatively impact development velocity.
Information is key — knowing what applications and software components are in use within your organisation is becoming a pressure point receiving a lot of attention. After all, you can’t secure what you don’t know you have. Third-party security is also becoming a well-understood concern in terms of cloud security. Understand what your vendors are offering, how they’re deploying the offering, and how they’re securing it. Security isn’t a one-time audit; rather, it’s a continuous process. CIOs must keep a watchful eye internally and stay in close communication with third parties to maintain continuous innovation and security growth both within the cloud and throughout the organisation.
How are CIOs developing secure hybrid cloud environments for their DevOps?
Tim: Hybrid cloud deployments are effectively a “day two” problem for organisations engaged in digital transformation towards a cloud strategy. Unless an organisation has defined and implemented strong security measures as part of their existing private cloud or multiple zone/region public cloud, then the complexity of a hybrid solution will introduce unneeded security risks. For example, a hybrid strategy typically forms part of a disaster recovery plan, a desire to increase business agility, or a need to better serve a geography. In the case of increased business agility, a hybrid strategy might simply mean the use of public cloud infrastructure for testing or staging efforts, but even in this narrow case the security of test data should be part of the overall development paradigm.
Effectively, while DevOps principles are ideal when developing a cloud native application, numerous examples exist of data leaks or breaches within highly agile application development teams – a case which can be prevented through strong security reviews.
How the security perimeter shifted as businesses expand their use of the hybrid cloud?
Tim: When adopting any public cloud strategy, a transfer of risk from the organisation to the cloud provider occurs. For example, the risk of unpatched physical infrastructure is assumed to be addressed as part of the fees paid to the cloud provider. This transference of risk reverses when consumers of a public cloud fail to adequately secure their virtual instances and associated services.
In a hybrid cloud environment, the transference of risk becomes even more challenging as differences in provider APIs could easily introduce misconfiguration which are hard to identify. It is precisely the combination of cloud perimeters, ownership of risk, and configuration which defines the overall security perimeter for an organisation.
Given the goal of reduction of business risk is a key function within CIO/CFO/CISO roles, understanding the impact of privacy, data retention, data sovereignty, and security policies becomes a key component when identifying the overall security perimeter. In the end, the definition of a security perimeter moves from that of a network edge into the business rules governing the configuration of the hybrid cloud.
- Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group
- Boris Cipot, Senior Sales Engineer, Synopsys Software Integrity Group