In my recent paper on cloud network security I came down pretty hard on hybrid networks. I have been saying similar things in many presentations, including my most recent RSA session. Enough that I got a request for clarification. Here is some additional detail I will add to the paper; feedback or criticism is appreciated.
Hybrid deployments often play an essential, yet complex, role in an organization’s transition to cloud computing. On the one hand they allow an organization to extend its existing resources directly into the cloud, with fully compatible network addressing and routing. They allow the cloud to access internal assets directly, and internal assets to access cloud assets, without having to reconfigure everything from scratch.
But that also means hybrid deployments bridge risks across environments. Internal problems can extend to the cloud provider, and compromise of something on the cloud side extends to the data center. It’s a situation ripe for error, especially in organizations which already struggle with network compartmentalization. Also, you are bridging two completely different environments – one software defined, the other still managed with boxes and wires.
That’s why we recommend trying to avoid hybrid deployments, to retain the single greatest security advantage of cloud computing: compartmentalization. Modern cloud deployments typically use multiple cloud provider accounts for a single project. If anything goes wrong you can blow away the entire account, and start over. Control failures in any account are isolated to that account, and attacks at the network and management levels are also isolated. Those are typically impossible to replicate with hybrid.
All that said, nearly every large enterprise we work with still needs some hybrid deployments. There are too many existing internal resources and requirements to drop ship them all to a cloud provider. Applications, assets, and services designed for traditional infrastructure which would all need to be completely re-architected to operate correctly, with acceptable resilience, in the cloud.
Yes, someday hybrid clouds will be rare. And for any new project we highly recommend designing to work in an isolated, dedicated set of cloud accounts. But until we all finish this massive 20-year project of moving nearly everything into the public cloud, hybrid is a practical reality.
Thinking about the associated risks, bridging networks and reducing compartmentalization, focuses your security requirements. You need to understand those connections, and the network security controls across them. They are two different systems using a common vocabulary, with important implementation differences. Management planes for non-network functions won’t integrate (traditional environments don’t have one). Host, application, and data security are specific to the assets involved and where they are hosted; risks extend whenever they are connected, regardless of deployment model. A hybrid cloud doesn’t change SQL injection detection or file integrity monitoring – you implement them as needed in each environment.
The definition of hybrid is connection and extension via networking; understanding those connections, how the security rules are set up on each side, and how to ensure the security of two totally different environments works together, is the focus.
Reader interactions
2 Replies to “Hybrid Clouds: An Ugly Reality”
I no longer think “hybrid” means cloud to cloud only connections. I agree that’s the technical definition, but that isn’t how it is commonly used anymore. I should definitely add that to the post.
Nearly every org I talk to says hybrid to mean connecting to a VPC or equivalent. Just yesterday I wrote that into the latest draft of the CSA Guidance section on definitions since it’s such an issue.
Aren’t you attacking a (probably unintentional) strawman here? I understand this is based on your experiences and I certainly don’t discount them, but the definition of hybrid cloud means that all the environments have to meet the strict definition of cloud computing, not just “let me hook up my datacenter mess to AWS”. If that’s the case, then isn’t the real question is why aren’t all your workloads and users compartmentalized and fungible across the entire infrastructure? Seems to me that the question is not “why you shouldn’t do hybrid” but “why aren’t you doing security right in the first place”
If they don’t, in fact, have a functional IaaS stack in place and this definition of hybrid cloud is simply gluing legacy remote sites together than I suggest that they haven’t really absorbed the cloud model very well and thus can’t apply the much vaunted benefits anywhere except AWS.