Organizations are moving from using IT services that are exclusively delivered by equipment on-premises to a mixture of delivery models that also include hosting as well as cloud services. This move to this hybrid environment is driven by digital transformation to provide greater flexibility as well as cost reduction. However, it brings with it increased challenges of management, compliance and security.
When organizations deliver IT services from their own data centres they have tight control over the security and compliance of processing. The loss of direct control when using externally provided services has led to concerns over compliance and security. The hybrid IT service delivery model has emerged to address these concerns. This model provides greater control by allowing the user organization to locate sensitive data and critical systems on premises or on dedicated resources in a private cloud but adds to the complexity of management.
There are five distinct planes in the IT service delivery stack that need to be managed and secured. These range from the physical data centre to governing access to the data and applications. For cloud services three of these planes correspond with the service model (IaaS, PaaS and SaaS). When delivered on premises the responsibility for all five planes is clear. However, in the cloud model, responsibility for managing these planes is split between the customer and the CSP (Cloud Service Provider) in a way that depends upon how the service is delivered.
This division of responsibilities together with the distributed nature of the service delivery make the management of security in the hybrid cloud complex. A business system may contain components that are delivered in different ways. An application may run on premises but use data from a cloud mass storage service. Another application may be delivered as SaaS but access sensitive data that is held in a private cloud or on-premises. A security architecture is needed that takes account of these complexities.
This architecture must identify the components needed to ensure security and compliance together with how these fit together. These components should always exist irrespective of how the service components are delivered. However, the responsibility implementing the individual components will vary according to the IT service model. The cloud customer (tenant) must ensure that the overall architecture meets their business needs. The customer is must also ensure that components for which they are responsible meet the required standards and must assure that the components implemented by the CSP meet their requirements.
KuppingerCole provides a comprehensive Hybrid Cloud Security Reference Architecture as the common denominator for a building block-based approach to individual architecture designs. This document describes the architecture components necessary to design, implement a secure and compliant hybrid IT service delivery model within the enterprise.