The Perils of Cloud Hopping

With hackers in abundance, a loss of physical data ownership clouds can be high risk. That is plenty of exposure. And moving from cloud to cloud, such as private to public and perhaps hybrid (which itself entails toggling between private and public) adds a whole new element of danger. Andrew Hay, CloudPassage's chief evangelist, tackles the issue in a conversation with Enterprise Systems Journal.

In Hay's view, many shops transform their data centers into private cloud, which is really done by taking virtualization to the peak of what it can do through management, orchestration and availability. From there, many begin to eye public clouds, migrating what they have accomplished on premises to a service provider.

A true private cloud should be relatively easy, technically, to move this way. And that move lets you escape large capital expenses and move to a leasing model. The best part is without CAPEX and the need to personally build out infrastructure, there is less barrier to launching new systems.

While the technical work can be straightforward, additional work must be done to account for the cloud, such as really really making sure it's all secure. "Public cloud presents several nuances that directly impact the way traditional security tools operate. Traditional security tools were created at a time when cloud infrastructures did not exist. Multi-tenant -- and even some single-tenant -- cloud-hosting environments introduce many nuances, such as dynamic IP addressing of servers, cloud bursting, rapid deployment, and equally rapid server decommissioning, which the vast majority of security tools cannot handle," Hay explains.

Hay's point is that existing security isn't enough for this new world. For example, perimeter is not enough and must be buttressed with end-point tools. But some cloud providers decide what tools to offer, and you either have to live with them or find another host.

And if you go the hybrid model, it can be hard to find tools that can protect as your apps and data toggle from private to public. And thinking that what you have, just because it cost a lot, can do the job can be a big mistake.

Firewalls, for instance, aren't always cloud ready. "Network address assignment is far more dynamic in clouds, especially in public clouds. There is rarely a guarantee that your server will spin up with the same IP address every time. Current host-based firewalls can usually handle changes of this nature, but what about firewall policies defined with specific source and destination IP addresses?" Hay asks. "How will you accurately keep track of cloud server assets or administer network access controls when IP addresses can change to an arbitrary address within a massive IP address space? Also, with hybrid cloud environments, the cloud instance can move to a completely different environment -- even ending up on the other side of the firewall configured to protect it."

That's a lot to chew on, but if you want the benefits of cloud, a little homework is a small price to pay.

Posted by Doug Barney on 10/30/2012 at 12:47 PM