Many organizations are adopting hybrid clouds – a bridge of public and private cloud environments – but there are many pitfalls along the way. In the first part of this article series, we looked at the challenges that any organization faces in their hybrid cloud journey. Now it’s time to see how to overcome these challenges. In this second of four articles, we will revisit the first set of hybrid cloud challenges and discuss strategies for success.
Solutions to Hybrid Cloud Challenges
Lasting success with a hybrid cloud requires strategic planning, investment, and yes, some compromise. By definition, you are using services that are outside of your control. Hence, existing processes and technologies may need to be revisited if you want meaningful integration and the flood of efficiencies that follow.
Keep in mind that every part of your organization cannot accommodate the same level of change associated with a hyper-efficient hybrid cloud. Lydia Leong of Gartner points out that organizations with “bimodal IT” – where pockets of traditional IT and agile IT co-exist – are most successful when they do NOT have a universal set of processes, tools, and skills. If your IT organization is bimodal, consider which parts of the organization are most equipped to take advantage of a hybrid cloud, and align more closely to their way of working.
Let’s jump in.
Security. How do we handle the myriad of security challenges in a hybrid cloud? Piece by piece, and with some overarching principles in mind. I like how Trend Micro’s Mark Nunnikhoven put it in a recent article on cloud security: adopt a shared responsibility model where you “trust but verify” the portion of the cloud run by others, and shift the security controls to areas you own. What are some specific things you should do?
* Incorporate single sign on (SSO). One of the best things you can do for hybrid cloud adoption is make access easy! Not only does SSO increase user satisfaction, it creates a more secure environment. Employees have fewer passwords to remember, and access to the cloud platform is controlled by a shared identity store.
* Assess data encryption options. Clouds often provide varying levels of data encryption support, so assess what solutions you can bring to the table. Consider agent-based solutions that encrypt and decrypt virtual machine volumes and give YOU control over the encryption key. In this case, you can likely use the same solution across public and private environments.
* Provision hardened machines via automation. One of the easiest ways for users to breach all your well-intentioned “secure computing” guidelines is to manually configure resources. To avoid human error, use automated provisioning solutions. Whether your cloud has a build automation engine like CenturyLink Cloud Blueprints, or you use popular configuration management tools like Chef, look for ways to turn provisioning into a repeatable activity through automation. This way, you can have confidence that important monitoring agents are installed, unnecessary ports are closed, and only required services are running.
* Monitor key activities. Don’t let your public cloud provider be a passive participant in your overall security governance process! Use APIs (and webhooks, if you’re using CenturyLink Cloud) to find out when new users are added to the cloud, and what permissions they have. Regularly extract your organization’s public cloud audit trail and load into a data warehouse for correlation and analysis.
* Leverage services to offload responsibility. Whether you have a large or small fleet of servers to manage, ongoing maintenance is a big part of staying secure. Servers need to be patched, upgraded, and monitored frequently. If you’re concerned that your existing staff can’t take on management of the public cloud servers in a hybrid environment, look at using managed services to shift that responsibility to your cloud provider.
Networking. Networking is one of the most important – and difficult – aspects of hybrid cloud configuration. Why is it difficult? It so easy to take things for granted when working solely with a local, closed network with geographically-coupled resources.
* Co-locate chatty application components. You know that high performing system sitting in your data center? How well does it work when some components are in the public cloud and some reside in your private environment? A hybrid cloud can expose applications that require a lot of back-and-forth communication that degrades over long distances. For applications like this, commit to putting them entirely in one environment or another.
* Be flexible on IP ranges. While some clouds let you add public servers to a specific subnet, you may be forced to use the cloud provider’s IP address space. Work with your cloud provider to design a topology that provides the most trust and continuity between your networks, even if IP ranges differ.
* Don’t abandon good isolation practices. System administrators are used to crafting a network layout that puts servers with similar isolation needs on the same VLAN. Try to follow this practice throughout your hybrid cloud environment by using the same rigor in your public cloud.
* Establish network trust and keep the front door closed. You know what’s not a good idea? Putting a public IP address on a server and doing remote administration through well known ports. This sloppy practice opens you up to hack attempts! Make sure that your hybrid cloud is configured with persistent, secure connectivity between environments. Look for site to site VPNs, MPLS connectivity, or even cross connects to establish trust. Then, developers and administrators can access servers through the private network and keep the public attack surface to a minimum.
A well-built hybrid cloud helps you deliver services efficiently, securely, and at scale. Security and network challenges are just two of the many areas to focus on when planning a hybrid cloud. In the next article, we’ll share tips for application integration and system management. Looking for help with your hybrid cloud plans? Reach out to us and we can help you design the solution that meets you need!