Pragmatic Hybrid Cloud Security

It’s easy to get lost in a sea of marketing terms. Recently “Hybrid Cloud” has bubbled up more and more. The good news here is that the term is an accurate and useful way to describe the reality that most organizations are facing…and will continue to face for the foreseeable future.

Unless you started your company today or in the past couple of months, you have a set of IT assets running somewhere. They aren’t running themselves for free. You’ve got an existing investment that you’re going to want to get the most out of that you can . The cloud—a dynamic environment that lets your innovate faster—is the clear future.

But the reality is that you’re going to have to manage both environments for a while until you can sunset the existing assets. This is the hybrid cloud.

Planning For Hybrid

The trap most organizations fall into is treating the two environments differently. Setting up unique tooling and processes for each.o make the hybrid cloud work, live by this simple rule, “Do the work once.”

This isn’t as easy as it sounds—is it ever? On-premises environments tend to use a lot of manual processes and are divided into silos. In the cloud, processes are implemented in systems and automated workflows break down traditional silos (see: DevOps).

The goal is to have one workflow regardless of the environment. Unfortunately, the reality is that you’re going to have to make an exception for a few systems and areas on-premises. A lot of existing systems simply weren’t designed with automation and integration in mind.

Try to have as few exceptions as possible. Deploying and running a web server should work the same way for your teams on-premises and in the cloud, or at least as reasonably close to the same way as possible.


One key driver for unification is a strong set of tools. Choosing cloud-first or “born in the cloud” tools is a great way to start. These tools are typically designed with scalability and flexibility in mind.

With the end state focused on unified processes, start by prioritizing tools that are going to move the needle the most for your organization. This will also help change your processes and update the skill sets for your teams.

Start with tools in the following categories:

  1. Orchestration

  2. Monitoring & analytics

  3. Security

  4. Build pipeline (CI/CD)

Orchestration is critical because it can provide a series of quick wins that ease everyone’s workload. Tools like AWS OpsWorks, Chef, Puppet, and Ansible are designed to help coordinate the deployment and maintenance of your environment. And they work just as well on-premises as in the cloud.

Providing a set of early wins is critical to getting buy-in from on-premises teams. You’re going to be making changes to their day-to-day workflows and eventually changing the structure of their teams. You need them on board.

With that credibility established, you can start to move on to monitoring, security and the build pipeline. In each case, you’re going to need a cloud-first tool that:

  • can scale up and down

  • has data flowing in and out in standard formats

  • is programmable


The tooling adjustment you make will provide a strong return on the effort invested. But they also have the added benefit of increasing your visibility into what’s happening in your workloads.

To take those efforts to the next level, you need to start to integrate data sources from your cloud provider. The advantage of the shared responsibility model is that you delegate day-to-day operations of some areas to your cloud service provider (CSP), but you often give up visibility into those layers.

However in recent years, CSPs have made substantial efforts to provide visibility into those actions for your workloads. The challenge is that you need to configure your monitoring and analytics tools to consume these new data sources (another reason to go to cloud-first tooling).

Each CSP provides their own version of these services but they basically work the same way. Using either a file drop or API, the CSP provides a series of data points for you to monitor the state of your workload. Sometimes these data series come in the form of traditional logs, but more often than not, it’s a series of JSON documents .

JSON is easy to work with in any programming language (despite the name) and often means you’re getting a much richer data set than traditional on-premises logs. No more parsing logs by spaces or tabs!


To make the tooling and visibility come together, you’re going to need to push automation into every aspect of solution delivery. The cloud tends to lean towards automation, but traditional on-premises environments have always been a challenge to automate.

That shouldn’t stop you from trying andwill also serve as motivation to migrate to “all in” on the cloud faster.

Automating the cloud layer is relatively straight forward using the function as a service (FaaS) offering in your cloud of choice (AWS Lambda , Azure Functions, or Cloud Functions). Everything from a CSP is available via an API and FaaS makes it easy to glue these API calls together to create more value in your workload.

Building on the foundations from your CSP environment, your orchestration tool allows you to automate your operating system, application and—ideally—security tools. It’s this one two punch that provides “one click deployment” and other benefits to your teams.

And while automation is a topic that’s been covered extensively, one area that’s often ignored is that when a workflow is automated, it can also be tracked. Ensuring that your automation scripts are tracked in source control not only provides the ability to manage changes but also a very strong audit trail.

You can now replicate your environment at any point in time. Simply re-run the commit for the time in question. That’s an extremely powerful tool to have for troubleshooting, scaling and compliance.

Hybrid Cloud Is The New Normal

To maximize your existing investments, you’re going to be dealing with at least two environments for the foreseeable future. If you hedge your bets and start leveraging more than one CSP, you could be trying to co-ordinate three or more distinct environments.

The best strategy to address any of these scenarios is the same, “Do the work once.” It’s not a hard strategy to sell. No one wants to do more work than necessary!

To make that work, you need to focus on unified tooling, gaining visibility in both environments and automating everything. The technology aspects of hybrid cloud are manageable with the right strategy. It’s the cultural challenges that will take time and persistence.

But both are worth it. The reality for everyone over the next few years is hybrid.Embrace it. Plan for it. Work each environment in order to maximize the benefits to your organization.

As much as we’d like to believe that you can simply migrate environments instantly, that’s simply not true. Focusing on these three areas—tooling, visibility, automation—will make sure you don’t get stuck with a massive legacy environment that stops you from innovating.

[ Editor’s note: The Trend Micro team is on-site at the AWS Summit in San Francisco where Werner Vogel’s has announced the new AWS Marketplace SaaS Contracts feature. Trend MIcro is proud to be a launch partner and now offers annual contracts for Deep Security as a Service . This is a great solution to procurement for hybrid cloud deployments. Deploy in the AWS Cloud and protect assets in all of your environments…with licensing taken care of your AWS bill. ]

Leave a Reply