Cloud integration and portability

Integration and portability – either working across multiple cloud providers or else shifting workloads from one provider to another – remain amongst the trickier areas of cloud strategy and security.  Different business strategies and priorities will drive different approaches.  For example, if you take the view that service resilience is your primary concern then the idea of placing all your eggs in one basket, even one as well made as AWS or Azure, may be anathema.  This can then drive architectures that must either split components across multiple cloud providers so as to reduce impact of compromise (including outages) or to use a secondary cloud provider to provide contingency in the event of a failure of your primary supplier.  If you’re going to support portability (the ability to shift workloads between cloud providers) then you need to avoid lock-in which can drive you towards containerisation such that you can take your encapsulated infrastructure from one provider to another – subject to tooling and skills.   This does mean that you end up abstracting away from provider-specific APIs and capabilities where you can (e.g. containerisation, deployment of “cloud management platforms”), which is counter to the idea of going truly cloud-native in this author’s opinion.
What about integration?  This is a more interesting proposition.   Why not use Azure AD (or other cloud-based identity provider) to manage the identities and entitlements used across your cloud supply chain?  Why shouldn’t you send audit logs from a variety of cloud providers to AWS S3 buckets and then Glacier for long term storage (or to a cloud-based SIEM service for analysis)?  Why not go for a distributed microservices architecture with consumable services hosted across cloud providers? You do introduce additional complexity however, for example,
  • how will you secure network connectivity?
  • encrypt data in transit and at rest and perform the necessary key management?
  • authenticate and authorise interactions?
  • consolidate security monitoring and incident response?
  • consolidate billing to maintain a view on costs?
  • maintain an understanding of where data is flowing and why?
  • track operational responsibility for service delivery?
  • secure, monitor and track usage of the exposed API’s enabling integration?
  • secure your automated deployment pipeline across the diverse supply chain?
  • prevent latency-sensitive services from becoming reliant upon multiple traversals over the internet?
  • set and manage service levels for in-house applications built on a multi-cloud platform?
But if you either make use of provider APIs or front your own services with your own APIs then this kind of integration of “best of breed” services can support a move towards truly cloud-native approaches without being utterly reliant on a single provider. That said, failure of a cloud provider hosting a critical component could still take down a multi-cloud hosted microservices-based application if it’s not built with resilience in mind.  It’s also worth noting that adoption of PaaS or FaaS services will abstract away some of these issues for you!
The simplest approach however may well be to pick a cloud provider you are happy with and go all-in (albeit with minimal but necessary integration such as federated identity).   Complexity is, and will remain, the enemy of security.  If you are prepared to accept the low risk of multi-region cloud provider outage then perhaps you would be best to avoid the complexity of full-on integration or portability and concentrate instead on account-based segmentation of services within a single provider.  
In summary, there is no one-size fits all approach.  Portability may overly constrain your visualised infrastructure, negating many of the perceived benefits of cloud, whilst some level of integration is likely to be necessary (e.g. federated identity management).  The big question, as is often the case with cloud, is one of trust.  Do you trust your cloud providers to be there when you need them or do you need to engineer in contingency cloud-provider arrangements?  The choice is yours.

Comments

Post a Comment

Popular posts from this blog

CSA UK Applying MITRE ATT&CK Cloud and Microsoft K8 Matrix

Image
The Cloud Security Alliance UK chapter is presenting a series of sessions to provide CISO's, Cloud Security Architects, DevSecOps and SOC teams a breadcrumb roadmap of how to apply the recently published (late 2019)  MITRE ATT&CK for the Cloud  and also take influence from Microsoft’s recent Threat matrix on Kubernetes (K8).   We are seeking feedback or additional items you would like us to cover.  The proposed series of sessions will cover:   Session 1: [ Author/Presenter: Stephen Owen] 90 mins planned online 24th June CSA session on "What is MITRE ATT&CK and Cloud" and what benefits it brings to each of the stakeholders  What is  MITRE ATT&CK Enterprise  and  Cloud Where to start How to take advantages of the current  MITRE ATT&CK Cloud  and combining with Microsoft’s K8 Matrix;  Suggested practices to follow targeted to each of the below roles: Cloud Security Architects DevSecOps SOC Team  Cloud/CISO Lea...
Read more

Understanding ISO 27001 certification

A guest blog by Steve Watkins, Director at IT Governance Ltd Even though ISO 27001 is the international standard for implementing an ISMS (information security management system) and is used by thousands of organisations around the globe, it occasionally faces criticism on a number of issues. Those with first-hand experience of ISO 27001 know that, when implemented correctly, it provides a comprehensive guide to managing the information security risks that organisations face. Further, the accredited certification scheme that enables organisations to demonstrate that they conform with the requirements in ISO 27001 offers real benefits to those who understand how to interpret claims of certification appropriately. So, what are the Standard’s critics potentially misunderstanding? This blog takes a look at some of the misconceptions, and explains why ISO 27001 is an appropriate framework for managing your information security. What are the criticisms of ISO 27001 certification? You don’t k...
Read more

What is hybrid cloud computing?

Image
    (Hybrid) cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardised or proprietary technology that enables data and application portability. National Institutes for Standards in Technology (NIST) While a Hybrid Cloud can take many forms; in essence it means managing two (or more) disparate cloud environments (say private & public) as one, or having management tools in place that let the two (or more) environments be managed and appear as one single environment. Hybrid cloud uses a mix of on-premises, private cloud together with third-party, public cloud services; with orchestration between multiple platforms thus allowing workloads to move between the various cloud environments as computing needs; thus giving businesses greater flexibility and more deployment options. A cloud is hybrid when; You extend an internal web server (that has “burst...
Read more