Addressing Security Challenges in Hybrid Cloud Computing Environments

Enterprises are increasingly using hybrid environments, but this move can come with risks and challenges especially for organizations adopting DevOps. How can hybrid environment security fit naturally into development processes?

Addressing Security Challenges in Hybrid Cloud Computing Environments

How can you secure your apps and services without compromising your schedule? (Hint: It’s all in the automation.) Enterprises are using hybrid cloud technologies to enrich the user experience and power their digital transformation. But running applications in public clouds while managing the application data in private clouds makes for a unique set of security requirements. We discuss the challenges that DevOps teams face in hybrid environments and how those challenges can be overcome.

Content Summary

Today’s Threat Landscape Can Be A Challenge For Enterprises
Siloed Security Can Create Unnecessary Complexities And Bottlenecks
Security Is Seen As A Roadblock And Causes Friction With The Need For Agility
Addressing Security In Hybrid Cloud Environments

Enterprises are harnessing Amazon Web Services (AWS) cloud and hybrid technologies to power their digital transformation: the integration of flexibility, agility, and unique cultural shifts into business processes to enrich customer and stakeholder experience. In fact, it’s projected that by 2020, 90 percent of organizations will be adopting or using hybrid cloud infrastructures and services. Indeed, the hybrid cloud environment enables businesses to portably manage workload requirements by using public cloud platforms to run applications while using the resources of private cloud infrastructures to manage the data needed to run the applications.

Hybrid cloud security accordingly has unique requirements. And given how hybrid cloud enables workloads to be run on different platforms and environments — from on-premises to private and public infrastructures like AWS — traditional and defined security will fall short. Also, with the adoption of containers and microservices, securing workloads can be seemingly complicated.

For enterprises adopting DevOps, it can be especially challenging to incorporate security into an approach that focuses on rapid development and delivery across Amazon EC2 instances and containers. While it helps meet tight timetables, DevOps can also run the risk of overlooking security.

What are the barriers that enterprises need to overcome when implementing security in the DevOps pipeline? What challenges do security teams contend with in using the hybrid environments, and how can they be addressed?

Today’s Threat Landscape Can Be A Challenge For Enterprises

In the first half of 2018 alone, 47 new cryptocurrency-mining malware families and 118 new ransomware families were seen. Threats are also diversifying into infrastructures that are critical to enterprises, from web servers and application development platforms to mobile devices. In 2017, for instance, the Erebus Linux ransomware hit a South Korean web development company and affected 153 Linux servers and more than 3,400 businesses. The impact: over US$1 million in losses as well as damaged reputation and a costly remediation process.

Today’s Threat Landscape Can Be A Challenge For Enterprises
Today’s Threat Landscape Can Be A Challenge For Enterprises

Indeed, Amazon EC2 workloads require a security strategy that can navigate today’s evolving and ever-increasing threats. For customer’s security teams, exposure to vulnerabilities and threats translates to adverse impact to their organizations’ bottom lines. The impact is exacerbated when stacked up with stringent compliance requirements, such as the implementation of privacy by design as mandated by the European Union (EU) General Data Protection and Regulation (GDPR).

For enterprises already adopting DevOps, an unsecure or vulnerable application or software can mean wasted resources, as they have to constantly rework and rebuild them to meet security and compliance requirements. Integrating security early into the development life cycle significantly reduces disruptions while helping IT and DevOps teams address security gaps or misconfigurations faster.

What’s Needed?
Defense-in-depth security capabilities are needed and must have visibility across the application or software’s life cycle — from pre-deployment to runtime. For example, security mechanisms such as intrusion detection and prevention systems (IDS/IPS) and firewalls help thwart network-based threats and exploits, while application control deters anomalous executables and scripts from running. In fact, it’s projected that by 2022, application control will be employed in 60 percent of server workloads. For DevOps teams, baking in security into the development life cycle means security as code. This can be achieved through scalable application programming interfaces (APIs) and scripts designed with security from the first build in order to minimize superfluous work.

Siloed Security Can Create Unnecessary Complexities And Bottlenecks

It’s projected that by 2020, more than 90 percent of enterprises will be employing a multi-cloud strategy (i.e., using multiple cloud services) for their workloads. And despite the increasing popularity of containers (e.g., Docker) in application development, organizations still use other virtualization technologies and computing platforms, like on-premises or physical software and servers, virtual machines, and even serverless infrastructures. Many enterprises actually still use a combination of traditional and cloud-based services for their operations — from networking and storage and data centers to software. Surveyed organizations in 2018, for instance, used an average of 16 software-as-a-service (SaaS) applications in the workplace. Developers must consider the various environments where the applications they create are deployed. The hybrid environment itself exemplifies the best of both worlds: using and orchestrating private and public cloud environments to host or run Amazon EC2 workloads.

Siloed Security Can Create Unnecessary Complexities And Bottlenecks
Siloed Security Can Create Unnecessary Complexities And Bottlenecks

Indeed, a challenge for many organizations is incorporating security across these multiple computing platforms. IT teams have to juggle different and incompatible security tools, which unnecessarily create convolution in their management. This unwanted complexity can also mean higher overhead in that it can slow down incident response, as siloed and disparate platforms will drive security teams to manually monitor each of them. This, in turn, creates bottlenecks in incident and compliance reporting. From a DevOps perspective, siloed teams (and tools) create blind spots, as security may tend to be neglected (such as overlooking vulnerabilities in the code) as they rush to deploy applications faster.

What’s Needed?
An effective security strategy ensures visibility into the applications and their underlying infrastructures, consistency in their security, and adaptability across various environments. Visibility across multiple environments is a major concern for enterprises: It gives organizations governance over the underlying infrastructures or platforms that they use to host, run, and manage their workloads. In turn, security teams can streamline the processes for audits, compliance reporting, and risk management. Security tools should be easily integrated across various computing environments but must be also purpose-built for the platform on which DevOps teams create and deploy their applications.

Security Is Seen As A Roadblock And Causes Friction With The Need For Agility

Automation is not just a buzzword: It’s become a necessity for many organizations as they further streamline their workload processes to keep pace with a constantly changing technology landscape. A more tangible example of this is how hybrid environments, through containers and other microservices, empower enterprises with the scalability needed to deploy and monitor servers or applications. And when thousands of these servers or applications need to be concurrently run or configured, automation becomes vital. In DevOps, automation means ensuring consistency through optimized and iterative processes, enabling companies to deploy applications faster across the AWS platform.

Security Is Seen As A Roadblock And Causes Friction With The Need For Agility
Security Is Seen As A Roadblock And Causes Friction With The Need For Agility

However, as organizations focus on deploying applications as fast as possible, particularly those adopting DevOps, security is being misconstrued as something that can slow down the development life cycle. A perceived lack of adoption of security can be ascribed to how it is sometimes misconceived as a roadblock. The lack of automation-enabling tools and how security could disrupt business operations could also be driving factors for not implementing automation in security. As businesses try to meet time-to-market deadlines, security becomes an afterthought (or may even be circumvented). A case in point is the notorious Equifax data breach, which was caused by a vulnerability in the company’s web application software that reportedly took Equifax two months (from when the vulnerability was first disclosed) to fix.

What’s Needed?
Automated security tools enable organizations to integrate security into the DevOps process and toolchain (orchestration, monitoring, continuous delivery, and IT service management). This helps ensure that security is adopted throughout the development life cycle without causing unnecessary friction between development and operations teams. For DevOps teams, automated security helps accelerate life cycles while also alleviating the burden of manually testing the application for vulnerabilities or threats. It’s thus unsurprising that 59 percent of surveyed organizations are automating security into their DevOps processes.

Addressing Security In Hybrid Cloud Environments

Hybrid environments provide organizations with agility and efficiency while also reducing costs. But leaving them exposed to threats can have adverse ramifications to an organization’s bottom line, which is why securing them is of great importance. Fortunately, organizations are increasingly realizing this: It is projected that by 2019, 70 percent of enterprise DevOps initiatives will integrate automated security as well as vulnerability and configuration scanning for application packages.

Addressing Security In Hybrid Cloud Environments
Addressing Security In Hybrid Cloud Environments

While incorporating security and implementing best practices into workload processes and development life cycles can be a daunting challenge, it can empower enterprises to be more resilient against threats while keeping pace with the need to innovate.

Trend Micro’s Hybrid Cloud Security solution provides powerful, streamlined, and automated security integrated into your organization’s DevOps pipeline while delivering multiple XGen™ threat defense techniques for protecting runtime physical, virtual, and cloud workloads. It also adds protection for containers via Deep Security and Deep Security Smart Check, including the scanning of container images during predeployment and host and Kubernetes protection at runtime across your Amazon EC2 workloads and hybrid servers.

These solutions enable organizations to focus on security and compliance while still moving in the agile and adaptable world of DevOps. They also reduce the number of security tools needed with multiple security capabilities and a single dashboard to give you full visibility across your hybrid environments. The Trend Micro Deep Security solution lowers the cost and complexity of securing workloads across multiple environments, with simple procurement and consolidated billing though the AWS Marketplace while providing security fit for DevOps with automated deployment, extensive REST API integration, and security capabilities that can virtually shield servers from the latest advanced threats.

Source: Kristin Cloy (Trend Micro)