|
|
| (45 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| The ''Flexera 2020 State of the Cloud Report'' and its associated survey found that 87 percent of respondents had already taken a hybrid cloud stance for their organization and 93 percent of respondents had already implemented a multicloud strategy within their organization.<ref name=WeinsCloud20">{{cite web |url=https://www.flexera.com/blog/industry-trends/trend-of-cloud-computing-2020/ |title=Cloud Computing Trends: 2020 State of the Cloud Report |author=Weins, K. |work=Flexera Blog |date=21 May 2020 |accessdate=21 August 2021}}</ref> A 2020 report by IDC predicted 90 percent of enterprises around the world will be relying on some combination of hybrid or multicloud with existing legacy platforms by 2022, though they may not necessarily have a sufficient investment in in-house skills to navigate the complexities of rolling out those strategies.<ref name="IDCExpects2021_20">{{cite web |url=https://www.idc.com/getdoc.jsp?containerId=prMETA46165020 |title=IDC Expects 2021 to Be the Year of Multi-Cloud as Global COVID-19 Pandemic Reaffirms Critical Need for Business Agility |author=International Data Corporation |publisher=International Data Corporation |date=31 March 2020 |accessdate=21 August 2021}}</ref> These complexities were discussed in Chapter 1; hybrid cloud reveals a greater attack surface, complicates security protocols, and raises integration costs,<ref name="CFWhatIsHybrid">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-hybrid-cloud/ |title=What Is Hybrid Cloud? Hybrid Cloud Definition |publisher=Cloudflare, Inc |accessdate=04 March 2021}}</ref><ref name="HurwitzWhat21">{{cite web |url=https://www.dummies.com/programming/cloud-computing/hybrid-cloud/what-is-hybrid-cloud-computing/ |title=What is Hybrid Cloud Computing? |work=Dummies.com |author=Hurwitz, J.S.; Kaufman, M.; Halper, F. et al. |publisher=John Wiley & Sons, Inc |date=2021 |accessdate=21 August 2021}}</ref> while multicloud brings with it differences in technologies between vendors, latency complexities between the services, increased points of attack with more integrations, and load balancing issues between the services.<ref name="CFWhatIsMulti">{{cite web |url=https://www.cloudflare.com/learning/cloud/what-is-multicloud/ |title=What Is Multicloud? Multicloud Definition |publisher=Cloudflare, Inc |accessdate=21 August 2021}}</ref> Broadly speaking, these complexities and security challenges arise out of the fact more systems must be integrated.
| | {{Saved book |
| | |title=Introduction to Quality and Quality Management Systems |
| | |subtitle= |
| | |cover-image=Time-Quality-Money.png |
| | |cover-color=#fffccc |
| | | setting-papersize = A4 |
| | | setting-showtoc = 1 |
| | | setting-columns = 1 |
| | }} |
|
| |
|
| As of April 2021, four providers of hybrid and multicloud technology and services stand out: Cisco, Dell, HPE, and VMware. These providers don't provide public cloud services but rather take a service-based approach to supplying hardware, software, and managed services to assist customers adopt a hybrid or multicloud approach for their business. From a security perspective, we have to ask at a minimum three questions about these companies:
| | ==''Introduction to Quality and Quality Management Systems''== |
| | {{ombox |
| | | type = content |
| | | style = width: 500px; |
| | | text = This book should not be considered complete until this message box has been removed. This is a work in progress. |
| | }} |
| | The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems. |
|
| |
|
| * How do they manage your data and security in a trustworthy way?
| | ;1. What is quality? |
| * How are cloud technologies and services developed and audited for security?
| | :''Key terms'' |
| * What public CSPs do they publicly state their technologies and services support or integrate with?
| | :[[Quality (business)|Quality]] |
| | :[[Quality assurance]] |
| | :[[Quality control]] |
| | :''The rest'' |
| | :[[Data quality]] |
| | :[[Information quality]] |
| | :[[Nonconformity (quality)|Nonconformity]] |
| | :[[Service quality]] |
| | ;2. Processes and improvement |
| | :[[Business process]] |
| | :[[Process capability]] |
| | :[[Risk management]] |
| | :[[Workflow]] |
| | ;3. Mechanisms for quality |
| | :[[Acceptance testing]] |
| | :[[Conformance testing]] |
| | :[[Clinical quality management system]] |
| | :[[Continual improvement process]] |
| | :[[Corrective and preventive action]] |
| | :[[Good manufacturing practice]] |
| | :[[Malcolm Baldrige National Quality Improvement Act of 1987]] |
| | :[[Quality management]] |
| | :[[Quality management system]] |
| | :[[Total quality management]] |
| | ;4. Quality standards |
| | :[[ISO 9000]] |
| | :[[ISO 13485]] |
| | :[[ISO 14000|ISO 14001]] |
| | :[[ISO 15189]] |
| | :[[ISO/IEC 17025]] |
| | :[[ISO/TS 16949]] |
| | ;5. Quality in software |
| | :[[Software quality]] |
| | :[[Software quality assurance]] |
| | :[[Software quality management]] |
|
| |
|
| In this context of trust, these companies should have a "trust center" that helps consumers and enterprises find answers to security questions about their cloud technologies and services. A trust center was found for three of the four CSPs; HPE's trust center could not be located. Whether through internal secure development processes or external auditing practices, the security of the technology and services offered by these providers remains vital, and they should be able to demonstrate by explaining their development and auditing processes. Additionally, hybrid and multicloud providers should make clear which public CSPs are supported for or integrated ideally with the provider's hybrid and multicloud services. Not all public clouds are fully supported by these providers. See Table 6 for links to these three security and interoperability aspects for each hybrid/multicloud CSP.
| | <!--Place all category tags here--> |
| | |
| {|
| |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="60%"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 6.''' Providers of hybrid and multicloud technology and services, their trust center, their development and auditing practices, and supported public clouds
| |
| |-
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Company and offering
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Trust center
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Development and auditing practices
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Public clouds supported (U.S.)
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-director/index.html Cisco CloudCenter and UCS Director]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/en/us/about/trust-center.html Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|According to a [https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/cc-suite-saas-trust-center.pdf 2019 document], Cisco is "evaluating SOC 2 as a potential roadmap item" for CloudCenter.
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.cisco.com/c/dam/en/us/products/collateral/cloud-systems-management/cloudcenter-suite/at-a-glance-c45-741883.pdf Alibaba, Amazon, Google, IBM, Microsoft]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/cloud/dell-technologies-cloud.htm Dell Technologies Cloud]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://corporate.delltechnologies.com/en-us/about-us/security-and-trust-center/index.htm#tab0=1 Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.dell.com/en-us/shop/secure-development/cp/secure-development Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.delltechnologies.com/en-us/data-protection/powerprotect-dd-series/cloud-tier.htm Alibaba, Amazon, Google, IBM, Microsoft]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/greenlake.html HPE GreenLake]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Unknown
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.hpe.com/us/en/solutions/cloud.html Amazon, Google, Microsoft]
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/ VMware Cloud]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center Link]
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://cloud.vmware.com/trust-center/compliance/soc Link] (Must be customer/contact sales to access)
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|[https://www.vmware.com/cloud-solutions/hybrid-cloud.html Amazon, Google, IBM, Microsoft, Oracle]
| |
| |-
| |
| |}
| |
| |}
| |
| | |
| Managing your share of security in the hybrid cloud has several challenges. Most of those challenges involve attempting to manage and control multiple distributed systems. Giving administrators the ability to see into this complex network of components, at all levels, is critical. This is typically accomplished with a centralized management tool or platform based on open standards, providing automated management and control features that limit human error. Automation is also useful when scanning for and remediating problems detected with security controls, which in turn allows for documented changes and more reproducible processes. Disk encryption and network encryption tools may also need to be more robustly employed to protect data at rest and data in motion between private and public clouds. And of course, segmentation of services based on data sensitivity may be necessary.<ref name="KasperskyWhatIs">{{cite web |url=https://usa.kaspersky.com/resource-center/definitions/what-is-cloud-security |title=What is Cloud Security? |work=Resource Center |publisher=AO Kaspersky Lab |date=2021 |accessdate=21 August 2021}}</ref><ref name="KernerFour18">{{cite web |url=https://techbeacon.com/security/4-hybrid-cloud-security-challenges-how-overcome-them |title=4 hybrid-cloud security challenges and how to overcome them |author=Kerner, L. |work=TechNeacon |date=2018 |accessdate=21 August 2021}}</ref>
| |
| | |
| Multicloud has its issues as well. "The challenge that multicloud presents to security teams continues to grow," said Protiviti cloud consultant Rand Armknecht in December 2020. "The number of services that are being released, the new ways of interacting, the interconnecting of services and systems, all of that continues to advance and all of these add new complexities into the enterprise security model."<ref name="PrattBuilding20">{{cite web |url=https://www.csoonline.com/article/3584735/building-stronger-multicloud-security-3-key-elements.html |title=Building stronger multicloud security: 3 key elements |author=Pratt, M.K. |work=CSO |date=14 December 2020 |accessdate=21 August 2021}}</ref> Given the differences in tools and security approaches between cloud providers, stitching together services cohesively requires strong skills, knowledge, and attentiveness. It also requires a security strategy that is well-defined and unified in its approach to data management, minimization, anonymization, and encryption when considering multiple CSPs. Middleware placed between the enterprise and the CSP—in some cases referred to as a cloud access security broker (CASB)—that can "consolidate and enforce security measures such as authentication, credential mapping, device profiling, encryption and malware detection" adds an additional layer of semi-automated security for multicloud.<ref name="PrattBuilding20" />
| |
| | |
| | |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |
