The Word Hybrid Written in Clouds

Over the last few months, I have been in many discussions with Enterprise CIOs and CISOs after they have realized the security and visibility challenges they now face after committing to fully and formally adopting a hybrid architecture for their Enterprise ITs.

These discussions have been fascinating and stimulating and have had an uncanny amount of similarity regardless of enterprise size, market segment, industry vertical or even enterprise age. (However, it’s worth noting that all of these customer conversations have been with organizations that are old enough to have a significant on-premise infrastructure IE that’s at least a few years old).

The story arc for all of them is similar, with a similar set of systemic challenges now facing these organizations. Let’s take a look at how they got here and the options they have going forward.

Architectural Adoption of Hybrid IT

Almost all of these enterprises are aggressively adopting formalized hybrid architecture. Despite their efforts to frame this as a strategic, forward-looking decision, in almost all cases, it is reactive, catch-up lipstick being rapidly applied to their current states.

The reality in most of these organizations is that they are already irrevocably hybrid. For years, their line-of-business functions have been rapidly onboarding SaaS services in a shadow IT manner.

Some of their older, on-premise, line-of-business applications have been abandoned or decommissioned and their internal app development and test teams have been using public, cloud-driven, DevOps-oriented continuous development, integration and tests for years, regardless of where the app may run when finally in production.

They have embraced federated IAM whereby their identity management systems now span on-premise, public IaaS cloud and SaaS cloud, and their databases—both sensitive and valuable as well as bulky with big data—are awkwardly smeared across a mind-boggling array of on-premise storage technologies, public-cloud storage and various SaaS services.

And if the picture could not get more grim, they have finally realized that the large assortment of bolt-on, expensive security technologies they have deployed at their traditional edge (such as firewalls, DLP, IPS/IDS, anti-malware and so forth) is doing practically nothing for them since almost all application flows that tunnel through this layer are fully encrypted on the wire.

Consider how terrifying it must be for a CIO or CISO the day they realize that there is a rule on both the external and internal DMZ firewall that allows bidirectional TCP port 80/443, UDP port 500 and IP ports 50 and 51 between the enterprise and all AWS and Azure IP addresses. Now that is the definition of a bad hair day for sure!

Design Effort to Achieve a Sensible Hybrid Architecture

Once there is a realization that the organization has already gone fully hybrid behind the backs of central IT and the security team, usually the next step is to bring together the best technical minds—possibly external consultants—with some representation from line-of-business folks.

They design a reasonable architecture going forward that takes away some of the risk, adds back lost visibility and also serves the needs that drove shadow IT in the first place while fitting the flat IT budget and the limited IT resources both in terms of skillset and bandwidth.

What usually results is an architectural blueprint that involves public cloud IaaS and PaaS services for internal use; SaaS services that are formally adopted as the strategy for non-sensitive, line-of-business applications; and a private cloud in the DC for sensitive, in-house applications (homegrown as well as third party provided).

There is usually an independent orchestration layer that pays lip service to multi-cloud provisioning with the promise of avoiding cloud lock-in and providing application mobility across the private cloud and a set of public-cloud vendors.

In addition, there is the obligatory firewalls, DLP filters, IDS/IPS systems, SIEM systems and CASB services to track user/client consumption of cloud-based applications. The high-level architectural diagram looks clean, simple, efficient to operate and cost-effective.

In-Depth Security Review

It is usually at this stage that things become very difficult. After an in-depth security review, it becomes apparent that it is very difficult and expensive to achieve any reasonable security and visibility between the enterprise’s on-premise systems and all of the cloud systems.

There are simply too many machine-to-machine, layer 7 application connections. Your SSO service is connecting to the on-premise AD, logs need to flow from the public IaaS/PaaS apps to the on-premise SIEM system, and SaaS services need to get to key servers and API servers on-premise. In addition, other SaaS services need to connect to your on-premise finance and ERP systems and so on and so forth.

At this stage, the leadership has to make some very tough decisions in regards to what to do next. Rolling back to a state before shadow IT-driven guerilla adoption of a hybrid IT architecture is simply not an option for any enterprise I have talked with. Generally, the following three options are available:

Option 1: Do Nothing and Hope

Sadly, many organizations seem to choose this option. Despite knowing that the current hybrid reality is posing incalculable risk, provides almost no visibility or monitoring and has no audit abilities and very little remediation possibilities, many CIOs and CISOs go down this route. They hope very much that somehow their organization can fly below the radar of the hackers and does not get attacked.

If they do get owned and suffer a breach, they hope that they keep their jobs through a mixture of plausible deniability and their security theatre efforts. After all, their DMZs are full of very expensive, modern security kits and systems. So they can argue that they tried their best, even though they well knew that none of this technology helps at all with their layer 7 application connections—from on-premise to public IaaS and SaaS clouds.

Option 2: DIY Secure Edge Services DMZ

I have recently spoken to a small number of organizations that have gone down this route. It is extremely difficult, time-consuming and very expensive to purchase and operate. It involves building a second, smaller, private cloud cluster inside the DMZ along with self-service portals that are usable by line-of-business operations so that all layer 7 app gateways land on this cluster.

It requires a very difficult, manual configuration of both the external and internal firewalls so that DNS-based whitelisting of resources—both on-premise and in the cloud—is effectively executed. It requires complicated, manual management of keys for encryption of data at rest and in transit as well as all of the X.509 certificates of all the services transiting this service DMZ.

It also requires some type of attestation service to ensure that the compute in the DMZ remains clean and free of malware, along with all of the analytics, flow telemetry, packet capture and L2/4 micro-segmentation needed to stay secure and provide visibility and remediation abilities.

Option 3: Use a Secure Edge Services Platform

This option is my personal favorite. With a platform like SkySecure, the Enterprise customer can acquire an easy-to-use, hyper-converged platform that includes compute, storage, virtualization and security. An elastic solution that offers a pay-as-you-grow, subscription-based business model that facilitates quickly and easily builds a secure-edge services cluster that can equally live in the main DC, the DMZ or at the colo facility.

IT and security teams can ensure a correct security policy and can triage and remediate issues quickly since attestation, micro-segmentation, layer 7 proxies, full telemetry, analytics and packet capture are all built in. In addition, the solution is fully cloud managed with no on-premise management footprint or systems to install and maintain, which provides self-service and automation so that the business can run at business speed.

If you are an Enterprise and this story arc resonates with you, or if you find yourself in one of the stages of hybrid IT adoption and you would prefer to stay away from options 1 and 2 above and would like to explore option 3, please visit Skyport Systems. We would be happy to show you how SkySecure can facilitate a secure, easy-to-use, effective hybrid IT architecture for your Enterprise.

-Michael Beesley, CTO, Skyport Systems