Do You Feel Secure in Your Cloud?

Your clients and employees could be commuting to work, at their desk or traveling overseas.  They could be trying to access your business's applications using a smartphone, a tablet, a laptop, or even a watch. They're trying to get some work done.

Applications and data can now be consumed anytime and from anywhere. The challenge for the business hosting an application is how to provide secure access and visibility without compromising the user experience. Since your applications are as unique as your business, not a single cloud infrastructure can fit every circumstance.

Is Private Cloud More Secure Than Public Cloud?

No. They are both very secure and, at the same time, there are vulnerabilities. We can also look at a hybrid approach, which uses a combination of, or new tools in private and public clouds. Overall, your security depends on the workload running. Rephrasing this question provides further insight: What does my application or data set need/require for secure access? Each of these cloud-types provides a unique set of tools, challenges, and expertise required for secure operations.

As a business, the decision to run new workloads/move workloads into a certain cloud-type comes down to a possible set of simple questions to ask yourself to create a security posture specific to that cloud:

• Are there regulations in our industry that require a cloud posture or focus?
• Is there an executive requirement/goal to be in a certain cloud-type?
• Are there geographic constraints or requirements?
• Are there budgetary requirements for workload placement?
• Are we running workloads for other entities we’re legally responsible for?
• How is our application/data estate currently deployed today?
• Is there a cloud preference for applications? What about data access/availability?
• What is the cloud-educational level of my operational IT organization?

Understanding your enterprise’s current cloud mindset will help drive the security conversation of how to secure those workloads.

Let Your Workloads Define Your Security

Cloud choice requires a singular focus on the workload being run to help understand where it should live. Let’s break down each of the cloud types (private, public, and hybrid cloud) into advantages and disadvantages for running secure workloads.

Public Cloud Security

A public cloud is a platform that makes the standard cloud computing resources (e.g., storage, compute power, virtual machines, etc.) available to users via the Internet. There are three main public cloud providers, AWS, Microsoft, and Google, who deliver their services over the Internet or through dedicated connections, and they use a fundamental pay-per-use approach.

As companies migrate to a public cloud, their security mindsets, talent pool, and risk strategies must change.

Private Cloud Security

A private cloud is also known as an on-premises cloud architecture, and it’s deployed on a business’s in-house datacenter. More vendors nowadays offer their own private cloud services to boost or even replace a business’s own private cloud environment.

The private cloud definition from The National Institute for Standards and Technology (NIST) says that “the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers. It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”

The most familiar concept for many companies, private cloud ensures control but can cost more and limit potential access to new workloads that users demand.

Hybrid Cloud Security

The holy grail of IT includes the ability to control workloads and cost anywhere, but requires new security tools to run in both public and private clouds.

Additional Cloud Security Considerations

Below is a sample of other suggestions to consider when choosing a cloud-type for your apps and data:

• Control and Visibility - Do you have the tools/talent/time to understand your entire cloud estate?
• Data Management - Are you adhering to industry-specific/geographic regulations for your data? How are you understanding insider data threats?
• Cyber Threat Risk - Is there an application or data particularly more appealing to threat actors? Are you classifying your workloads based on a risk assessment?
• Configuration Management - Are you able to push/patch/pull across your workloads in as little time as possible? Are legacy workloads identified and considered for changes as new threats emerge?
• Policy Enforcement - How are you ensuring compliance of business policies as it relates to security? Are you aligning security recommendations with end-user experience? How are you gathering user feedback?
• Business Continuity - Do you have a regularly tested recovery program and procedure in place? Have you further qualified key, business-critical workloads that must not be unavailable? How are you ensuring their viability?

That is a small subset of things to consider. Find it overwhelming? Start by focusing on well-known, highly critical apps and data can provide the best bang for your planning and provide peace of mind to executives.

NOTE: This post draws on content originally published by Mike Barmonde of Nutanix Inc., April 2022.

If you would like help assessing your cloud and security strategies, please contact your Flagship Account Manager or complete the form below.