AlgoSec Survey Reveals Security Pains Of Hybrid Cloud

Hybrid Clouds Confuse Security Policies

A hybrid computing environment is becoming the dominant paradigm for enterprises, but security concerns are causing headaches for IT professionals. Some companies find themselves stymied when trying to decide on the technologies they need and the best policies to implement across on-premises and cloud environments.

In August, AlgoSec, a vendor of network security policy management software, asked 363 IT professionals about the challenges their organizations faced securing business applications across hybrid environments.

Two-thirds of the respondents were either already deploying, or planning to deploy within the next three years, at least some business applications on an IaaS platform.

Their responses lend insight into the frustrating puzzle that network security policy has become in the new IT landscape.

Poor Visibility, Disparate Policies

More than half the respondents had trouble extending corporate security policies to their public cloud. Even more, about 56 percent, told AlgoSec they lacked the operational workflows needed to effectively manage security across the hybrid environment.

Of the respondents already operating a hybrid cloud, 62 percent said they viewed the sheer complexity of implementing security policy as a significant challenge.

More than 70 percent of respondents believe they need better visibility across on-premises data centers and public cloud resources. More than 60 percent said demonstrating compliance and managing network policy are both more difficult for cloud infrastructure.

Companies that haven't yet deployed hybrid clouds are even more concerned about extending corporate policies and maintaining visibility across platforms.

Two-Thirds In The Cloud By 2017

The security policy challenges aren't halting adoption. Nearly 30 percent of the respondents already use at least one public IaaS provider, and 37 percent expect to migrate to a public cloud sometime within the next three years.

Only one-third of the companies surveyed by AlgoSec said they did not expect to run any business applications hosted by an IaaS provider within the next three years.

"Despite the challenges experienced and anticipated with network security management across hybrid platforms, most organizations surveyed are already using or planning to use public IaaS to host at least some of their business applications -- and the pace seems to be accelerating," the report states.

Big Companies Moving More Workloads

Seventy percent of respondents committed to the cloud told AlgoSec they expect somewhere between 10 percent and 60 percent of their business applications to be hosted on a public IaaS platform within the next three years. That adoption rate climbs to 75 percent of respondents from companies with more than 2,000 employees.

Another 14 percent said more than 60 percent of their workloads will be in the cloud within that same time frame.

Among organizations already using the public cloud, 22 percent expect more than 60 percent of their applications to use public cloud infrastructure within three years, and 8 percent predict that nearly all of their business applications will run in the cloud.

Cloud Network Security Controls Are Fragmented

In private data centers, firewalls are the predominant technology to control network access. In the public cloud, fragmentation and uncertainty characterize the network security arena.

One-third of respondents use, or expect to use, a commercial firewall to protect their cloud resources. About 25 percent expect to rely on the cloud provider for implementing controls through features such as AWS Security Groups and 10 percent plan on using host-based firewalls such as Linux IP Tables.

Companies that have already migrated to IaaS platforms are slightly more likely to depend on host-based firewalls and cloud provider controls than those still in the planning stage.

Another 28 percent of all respondents said they don't know what to do, and 4 percent have decided not to set a policy.

Cloud Network Security Controls Are Unclear

The 28 percent of respondents who told AlgoSec they don't know what technologies to use to define network security policies across their public IaaS platforms are not all small companies.

Thirty-four percent of those unsure of how to go about managing security policies have fewer than 500 employees -- half of them have more than 2,000 employees.

The uncertainty is not limited to companies still in the migration planning stages, either.

Thirty-three percent of the companies expecting to migrate some business applications to a public infrastructure platform don't know what they will use to define security policies.

Neither do 18 percent of respondents whose organizations are already using a public IaaS platform.

Data And Network Security Challenges

What's the most challenging security function to migrate to the public cloud?

Thirty-one percent of respondents across all organizations think that it is data security; 24 percent think it is network security.

But those rankings differ when broken up by organizational size.

While almost twice as many large organizations believe data security is the most difficult function to migrate, among smaller organizations, slightly more find network security the bigger headache.

Another 15 percent of overall respondents said identity management presented the biggest migration challenge, 15 percent said vulnerability management, 12 percent said endpoint security and 3 percent struggled most with patch management.

Who’s In Charge?

Who's tasked with network security depends greatly on the size of the organization.

Seventy-two percent of respondents from large companies that are using or planning to use a public cloud task the Information Security team within their company to manage security.

Among the smaller organizations surveyed, those with fewer than 500 employees, 70 percent assign that job to the IT Operations team.

The overall number averages out to roughly a 50/50 split among all respondents in the survey.

AWS And Azure Dominate

More than half of the respondents -- 53 percent -- already in the cloud are Amazon Web Services customers. Another 44 percent are doing business with Microsoft Azure.

Just under 20 percent are using Rackspace as an IaaS provider, 17 percent are using Google Compute Engine and another 8 percent are hosting some workloads with Verizon Terremark.

About 20 other cloud platforms rounded out the answers, most only represented by one or two companies participating in the poll.

"Microsoft Azure seems to be gaining ground, especially among the largest companies. Notably, many organizations report using or planning to use multiple IaaS platforms with a mix of AWS, Microsoft Azure, Rackspace and Google Compute Engine," the report states.

Coming To Terms

Despite the security challenges, migration to public cloud platforms is gaining speed, AlgoSec concluded.

At the same time, lack of visibility and increased complexity associated with multiple environments spanning on-premises and cloud resources "remains a significant concern for organizations, even as they commit to migrating more of their applications."

As more companies move more business applications to public IaaS providers, they "will need to come to terms with the challenges of extending and maintaining network security in a hybrid environment," the report states.

Team Structure And Responsibilities

IT organizations must also figure out how they will determine who manages security for public IaaS platforms: IT Operations or Information Security teams within the company, or the platform providers.

"Workflows must shift to accommodate the public model as well, though many organizations report that the changes necessary to support the new environment have yet to occur. For IT professionals, the rapid movement to a hybrid environment means significant changes in team structure and responsibilities need to happen just as fast to enable the organization to maintain agility and security," the AlgoSec report states.

Formulate Policies, Align Roles

Finally, IT organizations must decide whether they want to use commercial network firewalls, provider controls or other methods of implementing security.

"This uncertainty may be exposing organizations to significant risk if indecision leads to inaction," the report states.

AlgoSec recommends that organizations focus their efforts on aligning IT and information security roles for the new realities presented by the hybrid cloud environment. They also need to codify security management processes that work across on-premises and cloud environments, and improve visibility of policies in public IaaS platforms.

"These changes will enable them to work more effectively and ensure security in the new paradigm, while taking advantage of the flexibility and cost benefits public IaaS platforms offer," the report states.