Although cloud technologies (and their many potential benefits) have been available for several years, many organizations have been reluctant to migrate their applications and data to cloud architectures because of general security concerns.
Over time, particularly in the past few years, enterprises have gained a better understanding of the security concerns inherent in cloud architectures and, more important, have determined how to effectively mitigate these risks. This, in turn, has increased cloud adoption rates. A 2015 survey by RightScale found that more than 90 percent of organizations have built cloud architectures, and nearly 70 percent of them are using private clouds.
Security is a critical consideration for every IT environment, including the cloud. However, IT professionals would be wise to view migrating applications and data to a private cloud not as a series of security challenges to overcome but as an opportunity to redesign (and thus improve) the security of the applications and data. Instead of being bound to old security controls and tweaking them to adjust for cloud-specific security concerns, an organization can make the most of the transition by reassessing security needs and selecting an optimal set of security controls. This approach may sound potentially resource-intensive and costly, but it will more effectively prevent data breaches and other compromises. It can also ease security management demands.
For private cloud migrations, enterprises should build a holistic, unified system of security controls instead of a disparate collection of isolated controls. An organization has a truly unified system when it selects controls that can be integrated with each other and then implements them to provide even stronger and more efficient security that is also easier to manage. One of the key parts of this defensive structure for private cloud implementations is security monitoring.
Private cloud architectures are highly scalable and flexible, allowing them to meet a wide variety of enterprise needs, as well as short-term changes to these needs. To take full advantage of this scalability and flexibility, the cloud’s operations need to be automated to the greatest extent possible. This allows self-service provisioning and adjustments to existing provisioning (such as the need for additional resources to be allocated to a particular application) to occur seamlessly and swiftly, greatly reducing delays in deployment and preventing partial or full outages caused by resource limitations.
Monitoring is a key component of private cloud automation. A complex endeavor, monitoring involves everything from collecting and analyzing data for notable events to automatically responding to security-related incidents. Monitoring within a private cloud can be even more complex because of the shared nature of cloud resources. If monitoring is not planned, deployed and configured properly, it may be difficult — or even impossible — to determine which cloud workload is associated with a particular event.
The most fundamental part of private cloud monitoring is to ensure that all relevant events are being audited and logged to a secure location. These events include those typically associated with IT systems, as well as those particular to cloud implementations, including cloud resource requests, provisioning, usage and decommissioning. Robust monitoring captures events at the following points within the cloud architecture:
Network security controls, such as firewalls and intrusion detection systems
All the cloud servers’ logical layers (such as the host operating system, virtualization layer or guest operating system)
All software residing within the guest operating system, including user-facing applications, administrative interfaces, databases and other backend applications
The cloud’s networks and storage media
The management of the cloud architecture itself
In addition, organizations should perform similar monitoring of the resources outside the private cloud that the cloud uses, such as enterprise authentication and directory services.
Collecting this security data is incredibly important, but it’s not terribly useful if the data is not regularly reviewed and analyzed. IT staff should regularly validate that the current private cloud implementation and workloads meet security requirements and can mitigate the latest known threats. At a minimum, enterprises should create and review daily or weekly activity reports; ideally, analysis should be automated and continuous.