It’s been just about one year since the world learned about the Spectre and Meltdown microprocessor vulnerabilities, and a little over 18 months since the big WannaCry ransomware attacks of 2017. Those events were a serious wake-up call for many organizations. Companies are revisiting their security controls not only to ensure that they can counter threats, but also to make sure that they can recover quickly if their defenses are breached.
In today’s IT operations across datacenters and hybrid cloud, building a tougher, more resilient security stance means bridging across different computing islands. You have your on-prem, and you have your various cloud pieces that depend on different providers. The challenge is to make sure that all of the components are tightly aligned and integrated, with compatible security configurations and a consistent level of security policies, processes and procedures. It can get pretty complex, because the platforms and applications involved are often very diverse.
HPE has developed a systematic, end-to-end approach to help you secure your digital enterprise. We call it the HPE Hybrid Cloud Security Solution Reference Architecture. It provides four views of your security posture:
The business view answers the question, “Why are we building a hybrid cloud and why do we want to secure it?” The answer to the last part of the question may seem a given, but it’s worth spelling out in some detail what could happen if your digital business is not well secured. When companies look at hybrid cloud, the main business drivers are flexibility, agility and, of course, cost savings. Security may not be perceived as falling into any of those categories, so it’s easily overlooked or tacked on as an afterthought. That’s risky. There’s been a spate of incidents in the recent past which showed that building in security after the fact is not a good way to go.
The business view enables you to determine your attack surface and your risks based on the sensitivity and privacy of your data. Make sure that security and data protection themes are baked into early discussions of hybrid cloud. Help your top decision-makers understand why you need the same level of security, or higher, across the new environment as you’ve traditionally had for on-premises infrastructure.
When you present your case for security investments, back it up with statistics and examples that detail the devastating impacts that companies have experienced as a result of security weaknesses. Talk about the potential dollar impacts of disruption to your business and reputational damage to the brand.
The functional view answers the question “What should the hybrid cloud solution do, and what security functions do we need?” It enables you to determine the right level of protection for your workloads, based on the risks you identified in the business view and your security policies. It systematically defines the right level of security controls that you will apply across your hybrid environment to achieve your business outcomes.
HPE’s approach takes a broad view of security controls and capabilities. It incorporates, for example, our P5 security control model (below), part of the Information Security Service Management methodology we use to define complete security programs for customers (see Lois Boliek’s blog The 5 P’s of Data Protection).
The technical view answers the question “How should the hybrid cloud solution and its underlying controls work?” Contrary to what companies often assume, the technical view is often the easiest of the four views to construct.
In one important respect, though, the technical aspects of a hybrid IT setup are more complex than those of legacy environments. When everything is on-prem, you have fewer stakeholders. The more platforms and providers you have, the higher the risk of gaps. IT organizations are not always sure where the borders of responsibilities lie between what they need to do themselves, security-wise, and what the cloud provider needs to do. There are technical solutions that we can put in place to tackle this challenge. For example, integration is key for identity management; you’ll want to make sure that your internal IM system is linked to what you have in the cloud.
Identity and access management is the fundamental building block for a solid IT management framework as described in this view (see my post 5 Steps to Better Identity and Access Management for Hybrid IT.) It’s also a complex area with many different aspects, including strong authentication, single sign-on, and user privilege management. It’s important to get it right from the get-go.
The implementation view answers the question “What systems will we use to construct the hybrid cloud solution and its security controls?”
The security solutions landscape is vast, and it’s changing all the time. To assure the integrity of server hard- and firm-ware HPE can provide advanced protection features that are embedded in the motherboard of its Gen10 generation of servers. Aruba, an HPE company, offers industry-leading enterprise network security solutions Aruba ClearPass and Aruba IntroSpect. Our integrated IT management platform HPE OneView automates and accelerates many of the error-prone manual processes that can create vulnerabilities. HPE also partners with important solution providers in the space. For example, we work with enterprise software leader Micro Focus to provide single sign-on technology, identity and access management controls and a whole set of service management solutions for our customers based on their specific needs.
Hybrid cloud security is not a static thing. You need to revisit it periodically as the risk environment evolves. The good news is that our Security Solution Reference Architecture is comprehensive and repeatable, and it’s backed by our best practices and wide experience in the space. It can help you achieve the right mix of protection for your cloud-enabled digital business.