The New Reality: Facing Security Challenges in the World of Hybrid IT
Hybrid IT in a nutshell
Hybrid IT can be defined as the mix of IT infrastructure platforms (legacy on-premise and private/public hybrid clouds) that an enterprise uses to satisfy its application workload and data needs.
There are several factors that have driven the adoption of hybrid IT infrastructures, including the need to maintain control of data, the cost effectiveness of cloud components such as software-as-a-service and database-as-a-service and the desire for an IT department to respond as quickly as possible to rapidly changing business needs.
This is why open technologies have become dominant, because more and more users and vendors take the open source approach when building their platform infrastructures. Hybrid IT is not even just about cloud, it’s also about traditional IT and legacy applications. It’s essential to ensure that legacy applications, which usually deal with core business functions, are able to exchange information with cloud applications and databases.
As hybrid platforms become ubiquitous (NonStop-X/Unix/Virtual NonStop), so do the security and compliance challenges they face.
Security Challenges facing Hybrid IT
In an increasingly digital business environment, where change is a constant and there are ever-increasing demands to deploy new applications faster, older technology can be hard to scale and slow to change. Managing and securing a mix of IT infrastructures can be costly and complicated, especially when data can reside nearly anywhere
Some of the largest obstacles for creating a seamless hybrid IT environment include inadequate compliance, lack of encryption, insufficient risk assessment & security management, failure to authenticate and identify, unprotected APIs, poor data redundancy, data leakage and many other threats.
While we could go into extensive detail on any one of these challenges, let’s focus on three critical areas:
– Compliance challenges on Hybrid IT
Maintaining and demonstrating compliance can be more difficult with a hybrid IT infrastructure. Not only do you have to ensure that your public cloud provider and private cloud are in compliance, but you also must demonstrate that the means of coordination between the two clouds is compliant.
For example, you may be able to demonstrate that both your internal systems and your cloud provider are compliant with PCI DSS. But, with the introduction of a hybrid IT infrastructure, you also have to ensure that the data moving between two clouds is protected.
Additionally, you’ll need to ensure that data is not transferred from a compliant database on a private cloud to a less secure storage system in a public cloud. The methods you use to prevent a leak on an internal system may not directly translate to a public cloud.
– Risk management on Hybrid IT
From a business perspective, information security is about managing risk. Hybrid IT uses new APIs, requires complex network configurations, and pushes the limits of traditional system administrators’ knowledge and abilities.
These factors introduce new types of threats. Cloud computing is not more or less secure than internal infrastructures, but hybrid cloud is a complex system that administrators have limited experience in managing, and this naturally creates risk.
– Security management on Hybrid IT
Existing security controls such as authentication, authorization and identity management will need to work in both the private and public cloud. There are a couple of options to integrate hybrid cloud security protocols, either replicate controls in both clouds and keep security data synchronized, or use an identity management service that provides a single service to systems running in either cloud. You must also allocate sufficient time during your planning and implementation phases to address what could be fairly complex integration issues.
As NonStop systems move into the x86 platform, more applications will likely be ported to OSS. This means that after an x86 migration, the availability of open source tools being placed in environments in which they could not previously be placed will increase dramatically.
Ensuring that your system is compliant and secure will become an even more complex endeavor.
Implementing a hybrid cloud introduces more than just technical challenges; IT administrators also must also address security issues.
Protect-X® – The Compliance & Security Hardening Solution built for Hybrid IT
Because Protect-X® was built with Virtual NonStop and open source applications in mind, it is the perfect tool to ensure that your hybrid infrastructure is compliant and secure. Protect-X® allows you to easily ensure compliance, assess risk and manage security of your hybrid platforms.
- Exchanges data with Unix/Linux machines directly, both to view current settings on those machines and to make approved changes to settings
- Exchanges data with NonStop servers via a strongly encrypted communication channel with Protect-XP, both to view current settings on those machines and to make approved changes related to compliance with hardening policies
- Makes approved file access changes through direct communication with NonStop servers
Protect-X® user interface
The Protect-X® interface features an at-a-glance Dashboard that calls attention to key metrics and gives quick access to related functions. Protect-X® allows users with the appropriate permissions to:
- Check how well a monitored system complies with hardening policies globally or at the individual rule set level
- Make changes to bring a monitored system into compliance with hardening policies, either once or repeatedly (on a scheduled basis)
- Create custom versions of hardening policies and check how well a system complies with them
- Produce informative reports and share them with external parties
- Verify current users’ access to critical resources and identify possible vulnerabilities posed by that access
- Manage and monitor changes to file permissions, users, groups, aliases, and Safeguard global settings for monitored systems, enforcing changes once or on a customized schedule
One of the key advantages of Protect-X® is that once configured, non-experts can ensure compliance standards are being properly maintained. Any changes requested must be authorized by an expert administrator before they can be implemented.
Protect-X® is a powerful tool that has the ability to automatically implement compliance policies across different environments and IT architectures. It can be completely customized to suit your specific needs. It places all the power in your hands, but simplifies and automates many of the routine tasks.
Protect-X® can be trialed on our test site at CSP or on your own site as preferred: