In my first posts in this series, I discussed the growth of hybrid cloud in enterprises and the challenges of protecting machine identities and the risks you’ll need to overcome in protecting machine identities in hybrid clouds. And now let’s look at some of the strategies you might take to keep your machine identities safe in hybrid cloud environments.
First let’s talk about the components you’ll need to protect machine identities in the hybrid cloud. If we are to manage machine identities effectively and securely both on-premises and on hybrid cloud environments, we need to develop and operate a security infrastructure that satisfies the following requirements:
- Use of trusted and protected certificates
- Certificate Authorities (CA) agility
- Delivery of non-reputable audit logs and response to audit requests
- Protection of private keys
- Integration with vulnerability management and threat intelligence systems
- Regulatory compliance
- Resilience to cryptographic compromise
- Visibility
- Attestation of corporate compliance
In other words, it is important to develop a consistent security policy that will satisfy all of the above security and certificate management requirements. It is also important to understand that this security policy will cater for the same level of machine identity protection as in traditional environments. The same visibility, intelligence and automation that is required for traditional, on-premises infrastructure, is also required for the various cloud environments.
Tale of 3 Clouds eBook: How Venafi Creates Digital Transformation
Who’s responsible for machine identity management in the cloud?
Before discussing the elements of the certificate management policy, it is important to understand the shared responsibility model for both Amazon AWS and Microsoft Azure, where a great deal of misunderstanding and fog exists.
Amazon AWS shared responsibility model is described in their respective website, where it is noted that “Security and Compliance is a shared responsibility between AWS and the customer.” Specifically, AWS is responsible for the “security of the cloud”. “AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.”
On the other hand, the customer is responsible for the “security in the cloud”. Per AWS “The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations.”
What AWS actually says is that within the cloud it is the customer who is responsible for machine identity protection. The customer is responsible for network traffic encryption, client-side encryption, server-side encryption and identity and access management.
Microsoft Azure has a bit of a different approach to shared responsibility, but essentially responsibility for identity and directory infrastructure, as well as network controls and applications for PaaS and IaaS are retained by the customer. The only aspect of security that transfers wholly to Azure is physical security. Per Microsoft’s words “Ensuring that the data and its classification is done correctly and that the solution will be compliant with regulatory obligations is the responsibility of the customer. Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing.”
Aforementioned clarifications should clear away the fog on who is responsible for what. Clearly: customers are responsible for the machine identity protection. It is far from clear that a consistent certificate management policy has to be developed and enforced in order to provide a smooth migration to hybrid cloud environments. Venafi has a comprehensive platform for machine identity protection that enforces consistent policies across all environments—ideal for a hybrid cloud strategy.
Are you providing as much protection for your machine identities in the cloud as you are for those on-premises?
Machine Identity Security Architecture
Related posts