the enterprise journey to the hybrid cloud...the enterprise journey to the hybrid cloud | 6 this...

PROTECT | MONITOR | RESPOND

THE ENTERPRISE JOURNEY TO

The Hybrid Cloud

Setting Goals and Developing ConsensusStep 1: Evaluate New and Existing Systems, Processes, and Applications

Step 2: Assess New Technologies

Step 3: Pull in Team Members

Step 4: Identify and Confirm What Your Hybrid Cloud will Look Like

Building and Deploying Better WorkloadsStep 1: Become Familiar with the Shared Responsibility Model

Step 2: Leverage the NIST Cybersecurity Framework (CSF)

Step 3: Deploy Hybrid Cloud Continuous Security Assessment and Remediation Platform

Steps to Building a World-Class Hybrid Cloud InfrastructureDriving Business Growth and ProfitabilityDemand for the Hybrid Cloud is growing at an ever increasing rate. Gartner predicts the Hybrid Cloud will become the most common form of cloud consumption, by 2020, as the final barriers give way to the new normal in enterprise information technology (IT). This eBook walks you through the steps required to building a world-class Hybrid Cloud infrastructure from setting goals and developing consensus to building and deploying secure hybrid workloads.

Setting Goals and Developing ConsensusSTEP 1:Evaluate New and Existing Systems, Processes, and ApplicationsAs companies look for ways to improve the bottom line, not much can escape the microscope that scans every part of the business looking for things to revise and remove. For everything from the way transactions are handled to the systems they are performed on/from/through, and even the data sets that make them work, anything and everything can be questioned. Each component is analyzed for inefficiencies or other process-hindering ‘features’ that need to be addressed. Even the business processes themselves are not immune to this annual (and sometimes more frequently-applied) scrutiny.

“Just 40 percent of the companies we studied have more than 10 percent oftheir workloads on public-cloud platforms; in contrast 80 percent plan to have more than 10 percent of their workloads in public-cloud platforms in three years or plan to double their cloud penetration.”—MCKINSEY&COMPANY

The Enterprise Journey to the Hybrid Cloud | 3

Drive BusinessGrowth and/or

Profitability

Evaluate New &Existing Processes

Evaluate New &Existing Systems

Evaluate New &Existing

Applications

The chief information security officer (CISO) and his/her team are tasked with developing an IT plan that facilitates the goal of driving business growth and profitability. The look primarily at three areas—applications, processes, and systems—with a view to the role played by current technology and the potential advantages or pitfalls of introducing new approaches. This includes the roles played by and impact on individuals. They then balance this evaluation against their organization’s risk profile as well as the criticality of IT to their business and overall competitiveness.


Considerations:Data Access,

Storage, Privacy

Considerations:Agility, Connectivity,

Speed, Latency


Profitability




Applications


The reuse of existing technology or the introduction of a new approach is then evaluated through the lens of the following as to how well they meet these requirements.

• Agility – deployment speed and ease of use for new applications and systems

• Connectivity – requirements for speed, latency, fidelity, and how these are met

• Data – all phases of its lifecycle, including access, storage, and of course, privacy

Looking more specifically at applications and services, the next consideration is where to deploy near-term and further in the future. Options here include:

• Move all or some workloads to on-premise virtual machines (or even containers). On-premise in this case includes enterprise-controlled co-location

• Leave all or some workloads in a traditional data center environment• Move all or some workloads to the public cloud (or multiple

public clouds)

Move All or Some to On-Premise in the

Data Center

Move All or Some to Public Cloud

Workloads

Leave All or Some On-Premise in the

Data Center


Storage, Privacy


Speed, Latency


Profitability




Applications

of enterprises have a formal cloud strategy

—FORRESTER

76%


This migration isn’t a fixed point in time. It is more of a journey than a destination. It is very likely that the organization will be in a constant state of managing a constantly-changing set of existing/legacy on- premise datacenter systems, legacy virtualized on-premise systems, new virtualized systems on-premise (in both “managed” and “Shadow IT” form), and a growing number of managed and (hopefully diminishing) Shadow IT systems running in the cloud. And, with each business request comes the time and investments required to make the decisions—how much to spend and how and where to build and deploy. If done properly, cross-functional teams will be involved in this decision-making process. These teams play a central role in the security approaches described in Section 2.

STEP 2Assess New Technologies By the very nature of cloud technology, moving to the cloud mandates new technologies. New technologies include web and email gateways, user authentication / IAM, Security Information and Event Management (SIEM), Cloud Access Security Brokers (CASBs), and Cloud Workload Protection (CWPP). The enterprise may rely on a combination of deployment options for these requirements—self-deployed on-premise, 3rd-party Software as a Service (SaaS), or leveraging services native to its public cloud provider(s).

As the business is run, the business processes are defined, and the systems/applications are selected (or developed) and later deployed, it’s critical that the organization take into account the risks they face with having all of these systems and applications accessing and manipulating the business (and customer) information.


Build and Deploy Secure Hybrid

Workloads

Business Unit Leads

Risk----------

Legal

IT----------

Ops

Architects----------Analysis

Move All or Some to On-Premises in the

Data Center

Move All or Some to Public Cloud

Workloads

Leave All or Some On-Premises in the

Data Center


Storage, Privacy


Speed, Latency


Profitability




Applications


STEP 3Pull in Team Members

The IT and the Operations teams are getting direction from the business team(s), along with the architects and data analysts. They are being fed requirements to make existing systems do more and to stand up new services and processes without breaking the schedule (or the bank).

At some point, the risk, legal and compliance teams will get involved to make sure that the risks are mitigated and that the compliance requirements are understood (and met)—not just for the new applications and technology coming online, but for everything that runs the business— even the old, antiquated, legacy systems.


STEP 4Identify and Confirm What Your Hybrid Cloud will Look Like

Looking back on the three options as to what to migrate to the cloud, and what to leave in-place, the optimal solution for many organizations will be the Hybrid Cloud, a combination of on-premise assets, and workloads deployed in one or more public cloud service providers. There is no lack of analyst reports, press, and documentation from the cloud providers themselves describing the financial and business advantages of the Hybrid Cloud. Rackspace, for example, outlines the business value of each Hybrid Cloud environment:

• Public cloud for pay-as-you-go scalability, ideal for heavy or unpredictable traffic

• Private cloud for enhanced security and ultimate control• Dedicated on-premise servers for ultra-fast performance

and reliability

Inventory and Appraise Business

Environment

Deploy New or Migrate Existing

Business Processes & Systems

Build and Deploy Secure Hybrid

Workloads

IT----------

Ops

DevOpsBusiness Unit Leads

Risk----------

Legal

Architects----------Analysis


Profitability

InfoSec


This option blends the necessary flexibility to adapt to changing business environments while offering differing levels of security (if deployed properly, and covered in Section 2). What is important to note is that it is not an all or nothing decision, and the various teams as depicted will all play a part in the decision, the timing, and the extent of the migration. What are the necessary steps, then, to build the confidence within the organization to make the migration a reality?

Knowing the goal—Building and Deploying Secure Hybrid Workloads—the enterprise must clearly connect the goal to the initial requirement—Drive Business Growth and/or Profitability. How? The answer involves an understanding of the current environment after bringing all stakeholders to the table and then making the right changes to the organization’s business processes and systems. The business leads that are tasked with corporate success must have confidence in those who are responsible for execution and then, if the organization is suitably equipped, empower the DevOps team. An effective template to connecting the dots is the NIST Cyber Security Framework with extensions for the cloud.

DATA SECURITY, COMPLIANCE/GOVERNANCE, AND CLOUD PROVIDER LOCK-IN ARE THE TOP THREE CLOUD MIGRATION CONCERNS —BAIN AND MORGAN STANLEY, 2016,


Building and Deploying Secure Hybrid WorkloadsSTEP 1Become Familiar with the Shared Responsibility ModelThe Cloud Service Provider (CSP) has responsibility for the security of the cloud, while the customer has responsibility for the security in the cloud.


Moving up the stack in the diagram below, Microsoft, for example, manages networking, storage, the physical servers, and virtualization, while the customer looks out for the OS, middleware, runtimes, as well as data and applications. With proper planning and processes, the cloud may be potentially more secure and resilient than an on-premise solution since securing the physical infrastructure is one less worry. But without planning, the organization will experience the same security vulnerabilities as a poorly managed on-premise solution, though with less visibility.

Amazon Web Services (AWS) and Azure have documentation on the role of the enterprise and their own roles in Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and SaaS, and it is incumbent upon the enterprise to both understand these and put them into practice. Further, when deploying across a hybrid environment, the organization must have a common view into its risk posture, independent of CSP-specific metrics.

On-Premise IaaS PaaS SaasApplications

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Your Responsibility Cloud Provider Responsibility

FrameworkCore

FrameworkProfile

FrameworkImplementation

Tiers

Cybersecurity activities and information references, organized around particular outcomes.

Enables communication of cyber risk across an organization.

Aligns industry standards and best practices to the Framework Core in a particular implementation scenario.

Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics.


STEP 2Leverage the NIST Cybersecurity Framework (CSF)

The NIST CSF provides a good framework as to how to ultimately reach better security, in this case within the Hybrid Cloud, but leaves it to the organization to decide upon what steps to take, and how. It also references a wealth of external guidelines and best practices but does not dictate which to use and to what extent.

As a review, the CSF outlines a process whereby the organization brings the necessary stakeholders to the table to assess its current security posture (the current profile), determine where it needs to be (the target profile), and then put the necessary processes and systems in place to achieve this. It also defines a set of ‘tiers’ that will impact the target profile, where a tier reflects the relative security maturity of the organization. The CSF is structured around five core functions that drive implementation—Identify, Protect, Detect, Respond, and Recover.

Set Your Target Goals

Create a Detailed Profile

Assess Your Current Position

Implement an Action Plan

Analyze Gaps and Identity Necessary

Actions

THE AVERAGE ENTERPRISE EXPERIENCES 23.2 CLOUD-RELATED THREATS PER MONTH, OF WHICH 10.9 ARE INTERNAL. —SKYHIGH NETWORKS


Using ‘identify’ as an example, categories include securing assets, the business environment, and risk. These categories then map into the different guidelines such as NIST 800-53r4, CCS CSC4, ISO/IEC 27001, and COBIT 5. In a hybrid environment, a guideline such as NIST will be applied to both on-premise and cloud workloads. In addition, the enterprise, following the approach below, may bring other relevant references and controls to the table including cloud hardening, Docker, Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), and the General Data Protection Regulation (GDPR), for example, if deploying in the European Union (EU). Remember—think of the CSF as an extensible framework, applicable for both domestic and international deployments and adaptable to any size organization.

When implementing the NIST CSF, the organization may take the steps outlined in the following figure. The trans-business unit team will collectively set goals and, based on the selected tier and business requirement, create a goal profile. The next steps are the assessing of current status, identifying gaps, and implementing the action plan. With the old adage that ‘security is a journey and not a destination,’ the team will periodically (or continually) re-evaluate posture and business needs and make changes as required. The next sections detail these different phases.

Set Your Target Goals Before you even think about how to implement the NIST CSF, you must set your target goals. The first hurdle that many organizations encounter is establishing agreement throughout the organization about risk tolerance levels. Often, a dangerous disconnect exists between upper management, IT, and technical staff about what constitutes an acceptable level of risk.

Draft a definitive agreement on governance for your organization to clarify precisely what level of risk is acceptable. Everybody must be on the same page before you proceed. It’s also important to work out your budget, set high level priorities for the implementation, and establish which departments you want to focus on.

It makes a lot of sense to start with a single department or a subset of departments within your organization. Run a pilot program so that you can learn what does and doesn’t work and identify the right tools and best practices for wider deployment. This will help you to craft further implementations plans and accurately estimate the cost.

90% OF CLOUD DECISIONS AND OPERATIONS INVOLVE IT —IDC

Bill

ions

(in

U.S

. Dol

lars

)

Hybrid Cloud Market GrowthThe Hybrid Cloud market is estimated to grow at a compound

annual growth rate of 22.5% during 2016-2021

Source: TechTarget2016 2021

0

20

40

60

80

100

120

$33.28billion

$91.74billion



Create a Detailed ProfileThe next step is to drill a bit deeper and tailor the framework for your specific business needs.

The Framework Implementation Tiers will help you to understand your current position and where you need to be. The Tiers are divided into three areas:

• Risk Management Process• Integrated Risk Management Program• External Participation

Like most of the NIST CSF’s guidelines, these should not be taken as set-in-stone. You can adapt them to your organization. You may prefer to categorize them as people, process, and tools, or to add your own categories to the framework.

THE AVERAGE ENTERPRISE USES 1,427 DISTINCT CLOUD SERVICES.—SKYHIGH NETWORKS

CLOUD SECURITY SOFTWARE FROM 5.8B IN 2017 TO 8.9B IN 2020 —GARTNER, 2017


There are four framework implementation tiers. These are:

• Tier 1 – Partial generally denotes an inconsistent and reactive cybersecurity stance.

• Tier 2 – Risk Informed allows for some risk awareness, but planning is inconsistent.

• Tier 3 – Repeatable indicates organization-wide CSF standards and consistent policy.

• Tier 4 – Adaptive refers to proactive threat detection and prediction.

The most effective implementations will be closely tailored to the specific business. Although the tiers at higher levels are a more complete implementation of CSF standards, customizing these tiers to ensure that they align with your goals is good. Before proceeding with implementation, use your customized tiers to set target scores and ensure that all key stakeholders agree with those targets.


Assess Your Current PositionNow it’s time to conduct a detailed risk assessment, so that you can establish your status. It’s a good idea to conduct an independent risk assessment. Identify software tools capable of scoring your target areas and train up staff to use them, or hire a third-party to run your risk assessment. It’s crucial that the people performing the risk assessment have no knowledge of your target scores. Analysis that will feed into this initial assessment may include looking at risk in the following way.

The final scores should be aggregated and validated before they’re presented to the key stakeholders. At the end of this process, your organization should have a clear understanding of the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), assets, and individuals. Vulnerabilities and threats should be identified and fully documented.

What are your critical issues?

What are your relevant threats?

How comfortable are you with your ability to detect and respond before data is compromised?

Like

lihoo

d

Impact


Analyze Gaps and Identify Necessary ActionsArmed with a deeper knowledge of cybersecurity risks and the potential business impacts for your organization, you can move on to a gap analysis. The idea is to compare your actual scores with your target scores. You may want to create a heat map to illustrate the results in an accessible and digestible way. Any significant differences immediately highlight areas that you’ll want to focus on.

OF FILES UPLOADED TO CLOUD-BASED FILE SHARING AND COLLABORATION SERVICESCONTAIN SENSITIVE DATA18.1%—SKYHIGH NETWORKS


For example, in the diagram below, the organization has identified three functional areas. These could span the Hybrid Cloud or could be broken into different environments so they can track on a more detailed level, in which case an additional consideration is whether different functional leads will be responsible for on-premise and cloud deployments.

Along the left, the heat map lists the different CSF functions and can be expanded to any level of detail. The ‘Identify’ core function is broken out here for the purpose of comparing the assessed scores against a cross business-unit core group, and then for further assessing gaps against the organization’s target tier. This results in a risk gap, with remediation actions rank-ordered by importance. As noted earlier, the specific references and controls should be expanded to address the organization’s specific requirements.

Work out what you need to do to close the gaps between your current scores and your target scores. Identify a series of actions that you can take to improve your scores and prioritize them through discussion with all key stakeholders. Specific project requirements, budgetary considerations, and staffing levels may all influence your plan.

Individual Functional Areas - Subject Matter Experts score their functional areas based on organization structure and for each function, category, and sub-category.

Scores - SME scores compared against independent core group.

Results - Combine scores and compare against targets set by organization. The resulting risk gap must be addressed.

Area 1 (i.e., Policy)

Area 2 (i.e., Network)

Area 3 (i.e., Applications)

SME Average

Core Group Combined Tier Target Risk Gap

Identify

Business 3 3 2 3 3 3 3 0

Asset 2 1 2 1 2 2 3 1

Governance 2 2 4 2 2 2 2 0

Risk Assess 2 2 2 2 2 2 2 0

Risk Management 2 2 2 2 2 2 3 1

Protect 2 1 1 1 1 1 3 2

Detect 2 2 2 2 2 2 3 1

Respond 1 1 2 1 2 1 3 2

Recover 2 4 3 3 3 3 4 1

Adapted from ‘The Cybersecurity Framework in Action: An Intel Use Case’


Implement an Action PlanWith a clear picture of the current health of your cybersecurity defenses, a set of organizationally aligned target goals, a comprehensive gap analysis, and a set of remediation actions, you are finally ready to implement the NIST CSF. Use the first implementation to document your processes and create training materials for wider implementation in the future.

The implementation of your action plan is not the end. You need to set up metrics to test its efficacy and continuously reassess your cybersecurity framework to ensure that it’s meeting expectations. This requires deployment of continuous assessment platforms spanning on-premise and the cloud, that can inform IT of any critical changes in the organization’s security posture, and even help with remediation.

Validation should be an ongoing process. Keep up the dialogue among stakeholders about risk and ensure that key decision makers remain engaged. To provide maximum benefit to your organization, you should continue to hone the implementation process and further customize the NIST CSF to fit your business needs.

59% OF RESPONDENTS SAYING THEY ARE ADOPTING A HYBRID CLOUD. —FORRESTER


STEP 3Deploy Hybrid Cloud Continuous Security Assessment and Remediation PlatformFor any Hybrid Cloud Infrastructure, it’s important to not only have a single view of the hybrid enterprise, utilizing a wide range of best practices benchmarks and regulatory guidelines, but to also have easy-to-follow prescription remediation. Also important to have is a robust application program interface (API) that integrates with third-party tools.

Fill in the following table to compare Cavirin’s Hybrid Cloud security capabilities to competing solutions you may be considering. The table has two sections:

1. Technology, including hybrid cloud support, architecture, APIs, customization, and extensibility

2. Features, including cloud account, virtual machine (VM), and container security

84%OF NET NEW SOFTWARE IS NOW SAAS.—IDC


Technology Advantage Cavirin Competitor 1 Competitor 2 Competitor 3Micro-Services Scale to largest hybrid

infrastructures

Native Multi-Cloud Support

Single platform for AWS, Azure, GCP, and Docker

Wizard-driven discovery, assessment, and remediation workflow

Ease of implementation and minimal training

Open API-first architecture

Wizard-driven integration with Slack, Jira, etc.

Agentless Deployment ease; secure

Extensible Monitoring

Flexible source-independent aggregation architecture

Policy Customization Domain Specific Language / Compensating Controls

ML-based Predictive Analytics—Quickly identify greatest threats

Quickly identify greatest threats

Cavirin Platform Technology and Feature Mock RFP


Feature Advantage Cavirin Competitor 1 Competitor 2 Competitor 3Deployment flexibility

Customer decides On-premise, CSP, or SaaS

Cloud Account Security (CISPA)

Cloud Hardening via, (i.e., AWS Foundation and Three-Tier)

Real-time monitoring (i.e., AWS CloudTrail)

VM targets Visibility into workloads

OS Hardening via NIST, GDPR, SOC2, PCI, HIPAA, etc.

Critical enterprise applications

Databases

DevSecOps -Docker / Containers targets

Extend visibility to containers

Image hardening

Container hardening

Container runtime

Kubernetes

CI/CD toolchain integration

FaaS Added visibility

Reporting flexibility and exports

Audit-ready reports

© 2018 Cavirin Systems, Inc. All rights reserved.

5201 GREAT AMERICA PKWY SUITE 419 SANTA CLARA, CA [email protected]

PROTECT | MONITOR | RESPOND

https://www.cavirin.com/

mailto:sales%40cavirin.com?subject=Sales

https://twitter.com/cavirin

https://plus.google.com/118160057344975217096

https://www.linkedin.com/company-beta/2928313/

the enterprise journey to the hybrid cloud...the enterprise journey to the hybrid cloud | 6 this...

Documents