The commoditization of technology has reached its pinnacle with the advent of the recent paradigm of Cloud Computing. Infosys Cloud Computing blog is a platform to exchange thoughts, ideas and opinions with Infosys experts on Cloud Computing

« August 2018 | Main | December 2018 »

September 30, 2018

Public Cloud Security- is it still a concern for enterprises?

Author: Jitendra Jain, Senior Technology Architect (Architecture & Design Group, Infosys)

Introduction

Cloud computing has become integral part of IT modernization in any large to small scale enterprises. It has been considered as a major milestone in the transformational journey. Cloud computing changes the way enterprises store the data, share the data and access the data for services, products and applications. Public cloud is the most widely adopted model of cloud computing. Public cloud as the same suggest available to public over the internet and easily accessible via web channel in a free mode or pay as you go mode. Gmail, O365, Dropbox are some of the popular examples of public cloud.

Public cloud provided services eliminates extra investment in infrastructure as all the required hardware, platform architecture and core operating software services is entirely owned, managed and efficiently maintained by the cloud hosting vendor.

As per mcafee research almost 76% of enterprises have adopted minimum 1 public cloud service provider, it could be any kind of cloud offerings (SaaS, IaaS, or PaaS). It shows popularity of public cloud. 


Security challenges with public cloud

By and By utilization of public cloud model is significantly increasing hence infinite amount of data is moving into the cloud inevitably leads the risk of data security and protection. Security still remains one of the top most concerns for any organizations. Across the world security breaches, data center breaches, security threats, hijacking, malicious attacks are the top headlines of print or digital or social media. Organizations are regularly raising security concerns for public cloud. One of the recent example of security breach is Equifax's data breach in 2017. Equifax announced a cyber-crime identity theft event potentially impacting approximately 143 million U.S. consumers. Due to these security issues enterprise leaders & CIOs are still reluctant and not ready to move their applications,workloads and services into the public cloud.

The challenge not only resides in securing the cloud but also in verifying the security policies, security specific technologies and to find a way to control it. In most of the cases it has been observed that user was the culprit and responsible instead of cloud provider as user fails to manage and follow proper security polices and provided guidelines by the public cloud provider.

In a public cloud model security is provided by 3rd party cloud service providers or vendors hence consumers i.e. organization need to be extremely careful and vigilant for required level of privacy and security based on the data or workloads they are hosting on public cloud. User confidential or sensitive data like SSN, PHI, PII and CVV can't be shared to 3rd party cloud provider. However information like product catalogs, media content, static data or any other type of non critical data can be moved to public cloud. There are some major security threats listed below while using public cloud platform. 

SecThrtss.png

Core objectives of an enterprise when moving workload to cloud 

Any organization when moving to cloud or in process to migrate their workloads on cloud platform, have four fundamental common goals i.e. data security, compliance, cost and scalability. If they get the assurance of all of them, they can quickly move ahead not otherwise. 

CoreObj2.png

Public cloud: major myth v/s ground reality (explore the truth)

  • Myth: In a Public cloud world multiple customers do share same network due to its multi tenant cloud environment nature hence they can easily attack on each other and hack their critical data.
  • Reality:  In reality it is not an easy job to hack or attack by another subscriber due to strong and secure hypervisor layer where the core separation among different subscriber takes place. Public cloud provider also provides other preventive options to avoid multi-tenancy related issues hence organizations should understand the ground reality before they take any decision. 

 

  • Myth: In a Public cloud world maintaining security is a highly cumbersome task. It requires additional skill-set and more resources which may add up significant cost in overall program. 
  • Reality:  In reality it is not at all a complex task due to latest security architecture models and various provisions offered by top cloud vendors (e.g. AWS, Azure, GCP, Oracle). It is not more than just doing a basic application level of configuration in the latest world of 2018. Any resource can maintain and control if after some training. Cloud providers do share extensive training  and knowledge artifacts to overcome the said problem.  

 

  • Myth: In a Public cloud world 100% onus for security assurance would be on cloud vendor. Subscribers has no role in it other than consumption of cloud resources. 
  • Reality: In reality it is not true because  cloud provider shares the well-defined contracts in terms of API's, Services along with appropriate access control mechanism for end users or subscribers to follow it but in most of the cases subscribers fail to follow it. Secure accounts and credentials related sensitive information is being stolen. Hence finally security assurance is a core responsibility of each and every employee of the organization who subscribed it. SSO, MFA, Encryption and other security mechanism has to follow religiously in an organization to secure data and environment. 
Public cloud security current state

  • As per rightscale 2017 survey, public cloud still holds 41% of total workloads in overall workloads category which is more than private cloud 38% workload. Even in Enterprise workload category public cloud (32%) is chasing private cloud (43%).
  • Currently public cloud seems more secure and robust option in most of the cases.
  • Enterprises are keen to put their non-sensitive data on public cloud with extra security measures.
  • In 2000-2010 Public cloud started with major security issues but if you look at current scenarios (2017-2018) they have genuinely addressed by all the major Public cloud providers (AWS, GCP, Azure, Oracle, SFDC etc.). However unauthorized access incidents are also growing rapidly.
  • Public cloud provides less planned downtime than the on premise solutions.   

Concluding remarks...

As a matter of fact public cloud security is still a well-known bottleneck for cloud adoptions. Some enterprises are not able to avail cloud computing benefits due to security concerns. But even after all of the issues cloud adoption rate is constantly increasing, that shows most of the enterprises are geared up and ready for cloud transformation. Some preventive measures can be positively taken by organizations for security assurance. List below

  • Choosing a right vendor, choose based on business model
  • Educating own employees, they should also feel accountable  
  • Hire the right talent to use cloud environment, good training can certainly help
  • Follow proper cloud governance across the organization, setup a solid process 
  • Enforcing strict access control policies, do track it closely 
  • Real time monitoring of applications and data for security vulnerabilities, take action against defaulters 
  • Alerting , Auditing and Monitoring of networks, services, APIs
  • Deployment of additional security software to protect data and applications
  • Apply cognitive AI techniques for security protection, it adds automation culture 
  • Do not put sensitive data on cloud ( e.g. PHI data, SSN#, Health records, defense info, CVV etc.) 
Final message from author
Public cloud still seems to be a better and secure option if chosen carefully based on above suggestions. In current digital computing arena enterprises can not ignore its importance hence sooner or later everyone has to adopt public cloud environment so better to start exploring right model at the earliest


September 20, 2018

Multi-Cloud strategy - Considerations for Cloud Transformation Partners

While "Cloud" has become the "New Normal", recent analyst surveys indicate that more and more enterprises are adopting Multi-Cloud, wherein more than one Public Cloud provider is utilized to deliver the solution for an enterprise, for example; a solution that employs both AWS and Azure. There are various reasons for enterprises to take this route, Cloud Reliability, Data Sovereignty, Technical Features, Vendor Lock-in to being a few amongst the several reasons.
Though most of the deliberations are revolving around Multi-Cloud for enterprises, here is an attempt to bring out the considerations that a Cloud Transformation Partner needs to watch out for.


There are four core areas a Cloud Transformation Partner must focus on to ensure successful and seamless Transformation & Operation of a Multi-Cloud environment:

1. Architecture
2. Engineering
3. Operations
4. Resources

Architecture: Success of a multi-cloud strategy depends largely on defining the right architecture that can help reap the benefits of having a multi-cloud environment. Architecture decisions should be reviewed against the business demands that triggered a multi-cloud strategy and ensure they are fulfilled.

Application and Deployment architecture has address all aspects of why an enterprise is looking to adopt a multi-cloud strategy. For example, if Data Sovereignty was the key consideration; application deployment architecture should make sure that data will reside in the appropriate Cloud that suits the need. If reliability is the driver, suitable failover mechanism needs to be in place, thus making use of the multiple cloud platforms available.

Interoperability across platforms is among the critical elements to emphasize on along with portability across Cloud Service Providers (CSPs). Achieving this takes a multi layered approach and containers is emerging as a solution in the cloud native space. More details in another blog post here.

Though Cloud as a platform is stable, there is a possibility of failure with a cloud provider (and we have witnessed it in the past). Disaster Recovery (DR) solution built on multiple clouds can be a more effective solution than DR with a single cloud provider in multiple regions.

Establishing network connectivity between competitor CSPs can have its own challenges and bottle necks. Network solution should facilitate provisioning new connections when needed with desired performance across multiple clouds.

Security solutions and controls need to run natively on all clouds and work across all boundaries. Hence Cloud Security Architecture should be on top of the list for considerations in multi-cloud. More importantly, solutions for threats, breaches and fixes need to cater to multiple CSPs and have to be centrally coordinated to respond effectively.


Engineering: There will be changes to the current set of application development and engineering processes followed for a single cloud environment. Application Deployment would need careful planning in a multi-cloud environment with specific focus on developer productivity, process compliance and security implementations.

DevOps should be an integral part of agile development for cloud native & traditional applications. Attention and careful planning needs to be given to the DevOps process and tools to work seamlessly across multiple cloud platforms.

Application lifecycle management should have Platform specific testing built into the process and ensure reliable operations on each of the target platforms.


Operations: Cloud operations are more complex in a multi-cloud scenario due to the overheads that each cloud platform will bring in.

Cloud Management Platform (CMP) must support the multiple Public Clouds that are part of the solution. CMP should be capable to abstract the complexity of different Cloud stacks and models and provide a single window view to monitor, administer and manage multi-cloud ecosystem for the operators.

Oversubscription of Cloud resources needs to be watched for a multi-cloud environment. It is hard to foresee the cloud usage patterns in each of the cloud platforms, and it is very likely that one or all of the cloud platforms can get oversubscribed. Optimization of cloud resources can be a challenge and can result to increased costs. Multi-Cloud strategy may not attract the best volume discounts from a CSP and can impact the cost.

SLA's can vary across CSPs, this should be taken in to consideration while defining the service levels.

Overheads for managing and tracking multiple CSP contracts, billing etc. takes effort and time and needs to be planned for. A well-defined change control mechanism and a roles & responsibilities matrix are essentials in a multi-cloud environment.


Resources: Staffing needs to be planned considering the multiple cloud platforms and the varied skills that would be required. Teams need to have an appropriate mix of core cloud Horizontal skills and CSP specific vertical skills. Multi-cloud environment will demand resources in:


Cloud Horizontal Skills - Engineering skills like Cloud native development with 12 factor principles, cloud orchestration is relatively cloud provider independent. Resources will be specialists in their technical areas and will not be dependent on the Cloud platforms.

Cloud Vertical Skills - Specialists of each cloud platform will be required to extract the best out of each of the multiple cloud platforms that are used. These resources will be required at various roles ranging from architects to developers.

Agile/DevOps - Cloud development needs to be agile and should accommodate changes with the minimal turnaround time. This would need adoption of Agile/DevOps and resources with the appropriate skills to run large scale agile projects.
Cloud led transformation is a journey/ continuum for any large enterprise and hence they should choose a cloud transformation partner who has deep expertise across architecture, engineering and operations with right resources. Infosys as a leading cloud transformation partner has been working with Global 2000 enterprises on their transformations. You can find more details on the same here.


September 3, 2018

Choosing the right Cloud Service Provider(s) and managing portability and interoperability across them

Global Enterprises are leveraging cloud as a platform to enable transformation, to drive business growth, improve business agility and enhance customer experience while delivering resilient IT systems at an optimal cost. AWS and Azure are the leading hyperscale cloud service players in the market, while others like Google Cloud, Oracle Cloud are emerging strong as well with compelling product service offerings for enterprise customers.

Choosing the right Cloud Service Provider

A cloud service provider choice is not made by enterprises solely based on cost, neither will they move from one cloud service provider to another just to achieve direct cost advantage on CSP charges. The choice of cloud service provider is made considering suitability of CSP for the workload, unique feature set offered by the CSP, visibility into the product roadmap, security & compliance adherence, flexibility in commercial agreements, pricing models and overall business strategy alignment. With the heterogeneity in the current enterprise IT landscape, globally distributed businesses with IT strategy at line of business level or country/ regional level, leads to adopting more than one cloud service provider by enterprises.

With more than one cloud service provider and an existing infrastructure landscape, enterprises end up with a multi cloud environment and applications deployed across them. With business process flowing across applications in different deployment zones, it is essential that enterprises manage the hybrid environment with due considerations involving interoperability and portability.

Interoperability

The foundation for interoperability should factor in all four layers of the IT landscape, namely: Infrastructure, platform, application and business processes while catering to the needs of all involved stakeholders which primarily includes developers, IT operations, security, application and business owners. Considerations in the interoperability design include:

  1. Abstract the complexity of the cloud platform and provided unified interface to IT developers to enable large scale adoption
  2. Provide a unified cloud orchestration & management layer for provisioning, self-service catalog, policy based orchestration, monitoring and billing & chargeback.
  3.  Create an integration platform at data and process levels across the deployment zones in a secure manner. This is to ensure business processes can be executed seamlessly across applications deployed in various zones.

Portability

Though interoperability ensures operations across multiple cloud services providers, there is need to consider portability at various levels including:

  •  Applications -  Technology stack (Programming) and application packaging to enable application development irrespective of the application deployment target. For example, application would be developed with technologies like Spring, Python, NodeJS, MySQL, MongoDB, Hadoop, Spark and packaged as Containers to ease deployment.
  •  Middleware platform - An application management runtime that brings in uniformity across cloud service providers and simplify operations and management across. Containers like Docker and container management platform like Kubernetes help deploy application in a multi cloud platform and manage in a scalable manner)
  •   Development and Management Tools - While cloud native applications bring in required agility they need right set of development and management tools to manage it.
    1.  Unified Service discovery, routing, security and management to monitor and troubleshoot micro services and applications deployed in the hybrid cloud. Cloud control plane is expected to provide service discovery & routing, security policy enforcement, identity & authorization service, tracing, logging and monitoring to run large scale hybrid cloud environments. ServiceMesh technology is in its nascent stage and focused on addressing these needs.
    2. DevOps platform to build, test, package and deploy applications in a uniform manner across cloud service providers. Tools like GitHub, Jenkins, Packer, Terraforms, CloudForms, Chef/ Puppet help realize a DevOps platform which works across public and private clouds.
  •   Security - Consistent implementation/ enforcement of security irrespective of the application deployment zone in the hybrid cloud. Unlike the traditional data center deployment model of applications into a defined network architecture, the cloud native workloads are dynamically placed across deployment zones in multiple clouds in a portable manner. This necessitates technologies that would reconfigure the infrastructure to enforce the security policies in a software defined manner. ServiceMesh attempts to address the security needs of the hybrid cloud as well and continuous to evolve.

Implementation of portability should consider factors like cost of implementing portability, impact due to avoidance CSP native capabilities, time to market, engineering required skills to build the platform. The enterprise may also choose to implement limited portability with considerations on factors like unique advantages of a specific CSP service, cost of porting out in the future, etc.

Summarizing, while the choice of cloud service providers is made based on the feature set, workload affinity and commercial agreement, it is essential to establish the interoperability across infrastructure, platform and application layers ensure service resiliency and unhindered operations. Also, critically evaluate portability needs while defining the cloud solution blueprint, to retain the continuous evolution path for the organization.

Infosys as a leading cloud transformation service provider has helped several clients successfully to navigate through their multi cloud adoption journey. We would be happy to share our experiences with you and help you in your journey.