Hybrid cloud shouldn't mean two security systems

Despite all the talk of "cloud first" IT, the number of legacy systems means "hybrid cloud security is very much the reality," according to Trend Micro vice-president of cloud security Mark Nunnikhoven.

Having two separate security systems is problematic, not least because it can mean double the cost, he told iTWire.

Trend Micro has invested heavily to make sure that its Deep Security and related products work in various clouds as well as on premises, Nunnikhoven said. The "lift and shift" approach to moving traditional security products into the cloud doesn't work as well, largely because of the scale and speed of cloud environments.

{loadposition stephen08}Putting security controls onto the servers is more effective than relying on perimeter defences – you can quickly and easily spin up 1000 virtual servers each with their own security layer, but scaling perimeter security separately is more challenging.

Cloud service providers recommend this approach, he said, because eliminating an entire layer improves efficiency, and it allows an organisation to be more dynamic and flexible.

Around three years ago, Trend Micro was one of a small number of vendors taking this approach, and the idea has taken time to spread, partly because it runs counter to security traditions and in some cases to regulatory regimes, Nunnikhoven observed. Yet perimeter defences need to know everything that might happen, while the attitude at the server level can be that everything is treated as bad unless it is known to be acceptable, which is easier to achieve.

And even though there may be a huge number of servers, there's no need to manage their security individually. A better way is to set group policies in much the same way that users are managed.

A baseline level of security is applied to all servers, then all the servers in a group get the same appropriate variations. "That way, you don't care how many servers there are," said Nunnikhoven.