Today’s enterprise IT professionals are fighting for their jobs. Who’s stealing them? AWS, that’s who. As businesses reach for the immediate gratification of Infrastructure as a Service – instant scale up, agility, no waiting for hardware provisioning – they aren’t thinking about security. They’re thinking about business benefits first, leaving security for someone else to deal with. If that someone is you, it’s time to come up with solutions that give executives what they want with a level of risk you can stomach.
What’s an IT Manager to Do?
A private cloud can offer everything the public cloud offers and more. By building a private cloud that mirrors the self-service and chargeback capabilities of public IaaS providers, you gain the same cloud benefits without putting security in less capable hands. You even have a cost savings argument to bring to the table. Vendors like VCE can even promise four times the performance of a CSP at half the price.
That may be why so many companies are jumping on board with converged infrastructure (CI). According to Zenoss’ “2014 State of Converged Infrastructure” report, 46 percent of the organizations they surveyed were using CI, a 53 percent increase over 2013. Although many enterprises first look into building their own cloud, only 22 percent actually do so, highlighting the appeal of turnkey CI solutions. Why build it yourself when most of the work is already done for you? That’s a hard argument to counter with security concerns alone.
Availability, Security, and Compliance
If you want to convince leadership that CI is the right choice, you’ll need to rethink the tenets of security. Instead of focusing on more arcane security language that leadership finds less than inspiring (such as Confidentiality, Integrity, and Availability, or ‘CIA’, we suggest you refocus on language that supports today’s primary cloud concerns: Availability, Security, and Compliance.
Talk about how strong security actually enhances availability and compliance by preventing security threats that crash systems and leak sensitive information. When having the CI conversation, it’s important to remember these points:
- Availability – Turnkey clouds offer fast spin-up and easier deployment. Because of this, many organizations want to leverage them broadly, and begin to migrate even sensitive or regulated workloads to these agile, software-defined environments. What’s important to remember is that the admins of these environments have enormous power with very few guardrails. A few wrong keystrokes can result in catastrophe: accidentally suspending a production VM, mistakenly moving a regulated workload to an untrusted server, or deleting mission critical applications by accident. The biggest difference is that you’ll need easier and more automated security tools for implementing policy, controls, and visibility to match the easier and more automated environment.
- Security – It’s time to admit it. The perimeter – at worst – is dead. At best, it’s clearly ineffective, as evidenced by the increasing frequency and cost of enterprise breaches. And virtualized data centers are becoming a target, because they hold this century’s new currency: data. Cloud infrastructure needs security that can is optimized for the mobile and dynamic nature of VMs, where entire applications can be moved, copied, or suspended with a few mouse clicks. Securing VMs will require encryption that moves with the VM to support both privacy and multi-tenancy, keeping data from different departments or applications segmented using different encryption keys. And granular logs become necessary to keep data intact, allowing organizations to track down potential misuse or security violations from outsiders.
- Compliance – As organizations take advantage of these new clouds, compliance must be considered. PCI, for example, dictates that if you run PCI data in a VM, the hypervisor then falls within the scope of PCI audit locations. This means that there must be the right security controls in place to show who did what, to which objects, and when.
Build in Compliance, Agility, AND Security to Win with Private Cloud Initiatives
HyTrust recommends the Zero Trust security model to control access to data, no matter where it resides, no matter what network the user is on. This model works in legacy systems, too, but it’s especially important in the cloud, where administrators have broad access rights. Securing the cloud means protecting data, controlling access, and monitoring every event that touches data to provide robust security that supports business profits and compliance, while keeping control over security squarely in your hands. Contact us today to learn more about HyTrust.