Sun Tzu-as-a-Service: How to protect the hybrid cloud
When it comes to embracing the hybrid cloud, IT operations professionals may find a kindred spirit in Sun Tzu, a military strategist who lived between 544 and 496 BC.
Sean Jennings, co-founder and senior vice president of Virtustream, led a VMworld 2015 breakout session that connected some of Sun Tzu’s most well-known quotes about warfare to some of the steps IT pros can take to better protect themselves when utilizing the hybrid cloud.
It starts with Sun Tzu’s philosophy of winning without fighting.
“The greatest victory is that which requires no battle.” (Sun Tzu)
Taking a strategic approach to security can better prepare your hybrid cloud, Jennings said. By working out the proper strategy before even looking to the cloud, organizations will have less “fighting” to do when confronted with threats.
The hard part about a hybrid cloud strategy is that you’re entrusting your workloads to an environment where you don’t have full control. Because of this, it’s critical that you demand transparency — you must know your cloud.
“Know thyself, know thy enemy. A thousand battles, a thousand victories.” (Sun Tzu)
Many times, industries will try to woo you with certifications, but they aren’t fully sufficient as a guarantee of security. Cloud architecture is also very important.
Most access happens via the Internet and a VPN, although some have an option for direct connections. How your cloud handles authentication on its public facing portal should be a top consideration.
Security and monitoring are often self-service and storage is often shared infrastructure with few SLAs. Demand to be fully aware of how security implementations work and what SLAs are in place.
Additional questions to ask are: How are the workloads separated? What is their protocol for disaster recovery? How are roles handled?
For example, Jennings said, even though he designed much of the Virtustream xStream cloud management platform, he doesn’t have access to client workloads. He couldn’t get to them if he tried, he said.
Jennings said some of the main cloud security challenges are:
- Separating duties
- Blind spots – virtual switches and VM leakage
- Reporting and auditing
- Compliance and governance
Use your tools you have at your disposal, Jennings said. Think about the trustworthiness of your hosts. Good transparency should also give you insight into which of your workloads are in trusted or untrusted pools.
“The opportunity to secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself.” (Sun Tzu)
Managing enterprise risk requires you to have cyber situational awareness if you want to turn the tables on your enemy. Use compliance monitoring to view and manage risk in your enterprise relative to the hybrid cloud.
“To defeat the enemy, become the enemy.” (Sun Tzu)
Continuous compliance monitoring tools help you think like the enemy and be constantly aware of where an attack could take place and what could be compromised. Because, you better believe that your enemies are looking for the exact same things.
Another point that Jennings stressed was all-out workload separation and verifiable workload separation as a part of your cloud solution.
In keeping with the theme of transparency, he said, two clouds can have the same SLA and same certifications, but both have different risk profiles. Make sure you understand where the risk profiles differ and how that affects your security strategy.
“If ignorant both of your enemy and yourself, you are certain to be in peril.” (Sun Tzu)