Security Approaches for Hybrid Cloud Environments
Digital transformation initiatives, along with cloud-first policies intended to gain greater business agility, have resulted in the broad adoption of cloud services as well as an unintended consequence—a cloud security readiness gap. This dynamic is highlighted by research conducted by ESG in which nearly nine out of ten (88%) surveyed organizations agreed that they need to evolve their cybersecurity program for cloud-native applications and their use of public clouds. 1 Amidst the shift to public clouds, customer-managed environments, including those that are on-premises and in co-location facilities, remain a critical and prominent aspect of the modern IT landscape. As such, hybrid clouds are, indeed, the norm of the modern data center. The disparate environments that comprise hybrid clouds have increased complexity, with many organizations finding it challenging to unify best practices across teams, technology stacks, and environments, impacting operational, security, and compliance objectives and requirements.
As a result, operationalizing hybrid cloud security is a strategic imperative, one that requires a holistic and layered approach to assure consistency across a heterogeneous landscape. While tried and true cybersecurity approaches still apply, including implementing defense in depth, new methodologies and technologies necessitate the modernization of cybersecurity programs across the core pillars of people, process, and technology. The objective of this paper is to explore the composition of hybrid clouds as well as the challenges associated with securing these dynamic and complex environments to set the stage to offer a series of best practices for a full stack, full lifecycle approach.
The Composition of the Modern Data Center
Hybrid Clouds are Heterogenous
Central to the adoption of cloud services are cloud-native applications and environments. Cloud-native applications are those built on a microservices architecture, deployed on elastic infrastructure, and delivered and managed via the automated continuous integration and continuous delivery (CI/CD) orchestration processes of a DevOps methodology. Cloud technologies, such as containers, Kubernetes, and public cloud services, play leading roles in cloud-native environments, with serverless functions now emerging, adding to the heterogeneity of modern applications. It is important to note, however, that cloud native is not exclusive to public clouds. In fact, while there is a shift of production workloads to public clouds, container portability and the desire by some enterprises to manage Kubernetes deployments both on-premises and in the cloud means that cloud-native applications span both public and private clouds—i.e., hybrid clouds
ESG research reveals that an important aspect of today’s hybrid clouds and true private clouds includes cloud-native applications orchestrated by Kubernetes across disparate environments. Equally important to note is the heterogeneous mix of server workload types with respect to the continuing relevance of virtual machines as well as bare metal servers. While ESG’s research highlights a rise in the use of containers and serverless functions, respondents shared that 32% of their production server workloads run on virtual machines, which is expected to decrease to 28% over the next 24 months.
