What enterprises and experts say about hybrid cloud
In my first post in this series, I discussed factors that are driving the growth of hybrid clouds. And now I’d like to highlight some of the reasons that growth is troubling for machine identity management.
At Venafi we like to listen to what our customers say. And they say at an increasing percentile that “We are moving everything to the cloud.” They are taking all of their applications and data out of the physical on-premises servers to cloud environments. Because of this cloud mitigation our customers argue that “We don’t need to manage as many certificates in our data center” because “We’ll just use native certificate management tools from our cloud provider.”
This is exactly what surveys on hybrid cloud adoption highlight. A Forrester report titled “Top 10 Facts Every Tech Leader Should Know About Hybrid Cloud” says that “74% of North American and European enterprise infrastructure decision makers defined their strategy as hybrid.” In addition, Forrester found 62% of public cloud adopters are using more than two unique cloud environments/platforms.
The question we need to ask at this point, is why do organizations embrace hybrid cloud. Gartner points out that there is an increasing demand to “democratize software”, hence “organizations seek interoperable functionality that enables highly integrated, synchronized and orchestrated hybrid environments” and for this reason “IaaS and PaaS are driving the next wave of cloud infrastructure adoption.”
Interoperability, synchronization, and orchestration
Interoperability, synchronization, and orchestration are the root causes behind hybrid cloud adoption. How can enterprises manage a multi-cloud or hybrid cloud environment? The ideal would be “to have a coordinated approach to multicloud management and governance. This includes enabling standardization of some policies, procedures and processes.” The latter highlights the importance of having a policy in a hybrid cloud environment.
What are the ramifications of hybrid cloud to machine identities?
It is important to understand that even though the means in a public or hybrid cloud environment are different than a traditional, on-premises environment, machines are still the same non-person entities (NPEs). Machines are devices, be it desktop computers, mobile devices, IoT sensors or devices or servers such as load balancers, Apache and web servers, IIS servers, and databases. In addition, machines could be code, not running only in devices, but also code running in a more abstract way in a serverless environment. Finally machines are also services, like APIs, and algorithms or blockchains. Identities to these machines are established by either TLS/SSL certificates, SSH keys, code-signing certificates or mobile and IoT certificates.
The biggest challenge to be met, though, is the heterogeneous nature of public and/or hybrid cloud services providers. Hence, poor planning for easily predicted problems and inconsistencies in the adopted hybrid cloud strategy increase the complexity of managing machine identities certificates.
Managing machine identities effectively and centrally is one of the biggest challenges enterprises face. The number of outages due to poor certificate management and expired certificates is growing. Ericsson, the Conservatives Party in the UK, Pokemon Go and LinkedIn have one thing in common: they all have suffered outages due to expired certificates. Certificate expiration was one of the main reasons for the 2017 massive Equifax breach.
Myths and misconceptions
When speaking about certificates management and services provided by various cloud providers, there certain myths and misconceptions that shape the way enterprises are making decisions. First of all, enterprises believe that cloud providers actually offer native certificate management services and therefore, they don’t need solutions like the ones offered by Venafi. Unfortunately this isn’t true.
Public cloud providers are making it pretty simple to get certificates to infrastructure that’s native such as Amazon Elastic Load Balancers or Cloud Front for AWS, but when it comes non-native infrastructure such as hosted F5s, certificate services are not built-in or are not set up to auto renew. In addition, public cloud providers cannot serve the needs of security and enterprise-wide certificate management, but rather, they are configured to make things as easy as possible for application development teams that want to move fast. Security teams in large enterprises are running into huge challenges because DevOps teams often independently set up AWS and Azure accounts. In some organizations, there may be 2,500 AWS accounts and 1,500 Azure accounts! With that many different cloud accounts, this makes it impossible for security teams to enforce the usage of certificates that comply with policy. As a result, security teams are left in the dark with no way to enforce policy or get the visibility and reporting they need to respond to compliance and audit checks.
Another myth is that when moving to the cloud, enterprises can the same type of infrastructure for certificate management as on-premises. Effectively, what happens is that they are shifting the certificate management problem from on-premises to the cloud. Same problem, different location. It is important to understand that most large organizations, despite “moving to the cloud” will continue to have infrastructure on-premises. Therefore a machine identity management platform that can manage certificates across both on-premises and cloud infrastructure is still needed.
Does security slow DevOps down?
DevOps' perception of security as a factor that slows them down has made it difficult for security teams to be involved in the early stages of software development. The lack of information security tools to be adopted easily by DevOps teams, has forced the latter to adopt tools and services they feel comfortable with. However, the use of these tools creates more challenges and risks for the information security community: lack of control and visibility of the required machine identities, non-compliance with existing policies, inability to audit or remediate, weak certificate usage and unprotected keys. So the question that arises is “How can more secure machine identities increase speed?”
Finally, Forrester says that 74% of organizations are leveraging a hybrid or multi-cloud strategy. If your corporate strategy caters for cloud agility, why should your certificate strategy be pinned to one cloud provider? Organizations that want to be agile and avoid vendor lock-in need a cloud-agnostic solution that not only provides the ability to centrally enforce security policy but also the ability to standardize how certificates are issued and installed so that applications can truly live within one or more clouds, without fear of breaking or slowing operations.
So what can you do about managing machine identities in hybrid clouds. Watch for our next post on security strategies for the hybrid cloud.
DevOps is a double-edged sword. Find out why, and how to use it to your advantage when considering security in your enterprise.