A Secure approach to floating your Private Cloud

How should organisations approach data centre migrations to private clouds, while maintaining security and connectivity for critical business applications? By AlgoSec’s Paul Clark.

  • Monday, 7th October 2013 Posted 11 years ago in by Phil Alsop

A private cloud deployment should give all the flexibility, cost- and time-saving benefits of traditional public cloud solutions, with the key difference being that a company gets all of these benefits to itself, without having to share with others. That’s certainly the promise of private cloud, but the reality is that enterprises need to approach the migration of their data centres with caution. There are performance, business continuity and security implications to be considered before a private cloud environment can be said to be truly afloat.


A key consideration is the organisation’s security controls, such as firewalls, secure web gateways and traffic-filtering routers gateways. These don’t just prevent threats: they support connectivity and data access, allowing critical business applications to function properly. They’re business enablers, not merely network plumbing that blocks or allows traffic. In most organisations’ firewall policies, there are many more ‘allow’ rules than ‘block’ rules, to cater for the complexity of business applications. Just one application may need to cross multiple policy enforcement points, with multiple firewall rules supporting it.


The complexity of these application-related dependencies can lead to security gaps opening up, or trigger outages and downtime to key applications, simply because of the domino effect of tweaking or changing a couple of firewall rules. When we surveyed senior IT staff earlier in 2013, over 70% of respondents had suffered an outage or security breach due to an application-related rule change.


The result is that migrating security policies from the internal data centre to the private cloud can be a lengthy and complex process. It can also involve a great deal of manual trial-and-error work by IT teams, as they may make lack automated tools to help them. So how can organisations accelerate migration to private cloud environments, and mitigate some the risks of outages and security issues while doing so? Here are three key considerations for IT teams when planning a migration.


Focus on applications
IT security is often thought of in terms of threats and tools – in other words, we need to migrate the firewall rules, IPS signatures, DLP policies and so on. However, a data centre’s purpose is to deliver business applications. All other aspects of IT, from databases and storage to networking and security, are enablers for those applications. So it’s good practice to map out the security needs for each business application, in business terms; and then to make sure that the migration of these controls will continue to enable application availability through the migration process.


Evaluate security controls
Some security controls will remain more or less the same following the migration to a private cloud environment, while others will change. You may need to consider policies on traffic between virtual machines in your environment. Also, a cloud environment makes it harder to predict how many users and different endpoints may be accessing applications and resources at any one time, and how those endpoints should be managed. So it’s important to consider the impact of protecting those endpoints – and of ensuring unmanaged endpoints cannot introduce risks.


Choose the control centre
Private cloud migration gives three options on where your security controls can be placed and managed. The first option is outside the cloud. This will usually involve using the same dedicated hardware to run the security control. If enforcement between two or more virtual machines is required, you will need to route traffic outside the VM for inspection and route it back in.


The second option is inside the cloud, which requires virtualising the security control. Since the control no longer runs on dedicated and hardened hardware (such as a security appliance), this may have performance or security implications that should be evaluated first before action is taken.
The final option is to review your overall security architecture and all controls, both for public and private cloud environments, and decide which options best suit the business’ needs. Some controls (such as email security and web URL filtering) are well-established as cloud solutions, enabling organisations to benefit from reduced management overhead, latency and costs.


With these steps in mind, IT teams can approach the migration of data centres to private cloud environments, without compromising the security or availability of their business applications.