Accelerating Application Migrations To The Cloud

It’s a common misconception for people to imagine that business applications can be apparated, Harry Potter-style, into the cloud and that the IT team just needs to press a few buttons and whoosh, the migration is done. If only it were that easy.

Firstly, despite the fact that, in our experience 85% of applications can potentially be migrated to the cloud, there are some applications that should not, or cannot be moved. Legacy applications may be difficult to virtualize, requiring significant development work before they can be migrated. Some applications may be sensitive to latency, so for performance reasons they should stay on-premise. Others may be governed by regulations which prohibit their moving outside of a given jurisdiction or geographic region.

Hand-Drawing Maps

However, even for the majority of applications that are suitable for migration, there are multiple challenges which need to be addressed if the migration is to be done smoothly and securely. First, the application’s existing network flows need to be mapped so that the IT team knows how to reconnect the application’s connectivity post-migration. This is extremely hard to do in complex environments. There’s usually little to no up-to-date documentation, and attempting to understand the requirements and then painstakingly migrate and adjust every firewall rule, router ACL, and cloud security group to the new environment manually is an extremely time-consuming and error prone process. A single mistake can cause outages, compliance violations, and create holes in the businesses’ security perimeter.

This is a time consuming process. In AlgoSec’s experience, a team of five experienced consultants can manually map 25 applications a week. That means, in a typical enterprise running 1,200 applications, it would take the team a year to complete the process. If the organization has good documentation of its applications, and an accurate configuration management database, it may be possible to cut this time by 50%.

But given the resources required to map applications manually, some organizations may ask if they really need to do it before migration. The answer is definitely yes, unless they plan to move only one or two applications in total — and can afford to manage without those applications for hours or days, in the likely event that a problem occurs and connectivity is disrupted. Having comprehensive maps of all the applications that need to be migrated is essential: this atlas of connectivity flows shows the way forward to smooth, secure cloud migrations.

Ready to Move

With an atlas of existing connectivity maps, organizations can tackle the migration process itself. This can be done manually using the APIs and dashboards available on all cloud platforms, but it’s slow work, and it’s all too easy to make costly mistakes. Some cloud service providers offer native automation tools, but these often only address the cloud provider’s environment and they don’t provide visibility, automation, or change management across your entire estate. Even some third-party cloud management tools which are capable of spanning multiple clouds will not necessarily cover your on-premise networks.

The most effective way to accelerate application migrations is with an automation solution that supports both the existing on-premise firewall estate, and the new cloud security controls, and can accurately define the flows needed in the new environment based on the atlas of existing connectivity flows, as well as the security and compliance needs of the new environment. In fact, the right automation solution can also discover and map your enterprise applications and their connectivity flows for you, without requiring any prior knowledge or manual configuration by security, networking or application teams.

Businesses can then use the solution to navigate through the actual migration process to the cloud, automatically generating the hundreds of security policy change requests that are needed across both the on-premise firewalls and cloud security controls. This dramatically simplifies a process that is extremely complex, drawn-out, and risky, if attempted manually.

After the applications have been migrated, the automation solution should be used to provide unified security policy management for the entire enterprise environment, from a single console.

While there isn’t yet a method for apparating applications instantly into the cloud, automation makes the process both fast and relatively pain-free by eliminating time-sapping, error-prone manual processes, such as connectivity discovery and mapping, during the migration itself, and in ongoing management.

Powered by WPeMatico

Centralized security in the cloud is the best security model

It’s 6:00 a.m. on a Monday morning. You get an automated text from your security systems that a DDOS attack was attempted, but new security policies downloaded several hours earlier proactively protected the systems from the attacking IP address. All is well. 

The alternative is not good—meaning that you had no idea of the DDOS attack, and now you’re playing cloud security whack-a-mole to fend off the attack until you can put more permanent solutions in place. Of course, other types of breaches could be much worse, in terms of their impact on the enterprise. 

Proactive and automated security solutions are known as centralized trust. Simply put, these are central repositories of security policies that are linked to local repositories in the enterprise cloud. They may even contain centralized identities—things, processes, or people—that that can be centrally credentialed.

To read this article in full or to leave a comment, please click here

Powered by WPeMatico

VMWorld Goes All In On The Cloud

This year’s VMworld showed new directions for VMware, which previously seemed a bit disoriented in the cloud computing revolution.

Following up on their prior goal of being the Switzerland of software, VMware is aiming to become the universal middleware for physical and software-defined data centers, leveraging Dell’s deep partner ecosystem. And this is also evidenced in their efforts to partner with AWS as the first partner in a strategy of “any cloud and any workload” which will soon include Azure and Google Cloud.

Besides helping their customers to build fully-digital data centers in the cloud, VMware is also working on securing both the virtual plumbing and the virtual endpoints. This could be a new paradigm for digital security, according to CEO Pat Gelsinger at the opening keynote.

There were two key announcements made at VMworld that support this. First, the result of their often mentioned Project Goldilocks, an endpoint security app called AppDefense that leverages existing VMware infrastructure to monitor and alert when virtual endpoints change to unexpected states.

ABOUT APPDEFENSE

In part, AppDefense is about applying least privilege and white-listing security paradigms ubiquitously to virtual infrastructure.

“AppDefense delivers an intent-based security model that focuses on what the applications should do — the known good — rather than what the attackers do — the known bad. We believe it will do for compute what VMware NSX and micro-segmentation did for the network — enable least privilege environments for critical applications,” said Tom Corn, senior vice president of security products, VMware.

When a threat is detected, AppDefense leverages vSphere and VMware NSX to automate the correct response to the threat. For example, AppDefense can automatically:

Another major security tool for virtual infrastructure is NSX Cloud, a version built to provide network security for the hybrid cloud.

“We find it to be a positive development that VMware is delivering enhanced security capabilities to complement multi-cloud architectures. The opportunity to enforce consistent policies at the network layer through micro-segmentation is an attractive feature/benefit combination of NSX network virtualization. Although we have more to learn about AppDefense, the concept holds similar potential within virtual machine operating systems and applications. These technologies enable greater control … by taking advantage of both public and private clouds and express the desire for workload mobility for reasons of rapid capacity expansion, data sovereignty isolation, disaster recovery, and more,” said Jon Rosenson, senior vice president at Expedient.

In his August 28 blog entry on the VMware web site, Alex Berger, product marketing manager, Networking & Security, wrote, “AppDefense is the other half of the puzzle. Whereas NSX prevents threats from moving freely throughout the network, AppDefense detects anything that does make it to an endpoint and can automatically trigger responses using through integration with NSX and vSphere.”

UNIVERSAL CLOUD PLUMBING

NSX, VMware’s network security offering for micro-segmentation, is becoming the glue that can build and integrate hybrid clouds. There are now two flavors: the on-prem version that runs with vSphere, and the new Cloud-Based as-a-Service NSX Cloud.

VMware Cloud on AWS uses multiple VMware products, including NSX for networking and security. NSX Cloud, on the other hand, focuses on workloads running natively in different public clouds, such as an Amazon EC2 for instance in the AWS cloud.

Since NSX Cloud is a service, it does not require NSX, or any VMware software, on-premises. VMware Cloud can replace tools that are specific to each public cloud like AWS CloudWatch and Azure Monitor.

In his VMware blog on August 28, “Introducing NSX Cloud,” Mark Schweighardt, director, product marketing, Networking & Security, wrote, “NSX Cloud provides an abstraction layer that is independent of the underlying cloud networking constructs. You can think of NSX Cloud as a way to bring your own enterprise networking management and controls to the public cloud. This gives IT more precise control over the networking topologies, traffic flows, IP addressing, and protocols used within and across public clouds. For example, IT can easily stretch NSX Cloud subnets to applications running across multiple regions or clouds.”

Taken together, these new offerings place VMware solidly in the cloud security arena.

According to Chris Williams, an Enterprise IT consultant at GreenPages in Kittery, Maine, VMware missed customers’ real needs in trying to launch their own cloud service. Instead, he said, nearly every customer wants to take their on-prem workload and move these up to any cloud without refactoring to AWS, or Azure, or Google, or any cloud. Williams likes the cloud partnership with AWS. “Marrying them together is like a dream come true.”

“VMware is uniquely positioned in data centers,” Williams said. “App Defense is a first shot at filling some of the blind spots other security companies miss. It looks like it will be very cool,” Williams added. “I still have more questions, but I like fact that you can use it to see anomalous behavior. For years I have been working with customers who needed info on their steady state. I think that VMware will figure out how to use this steady state info with other security partners.”

Evidence of initial integration partnerships came from Carbon Black and IBM, which announced links to AppDefense at VMworld. These partnerships incorporate VM-level detection data from AppDefense into security analytics.

Williams was also part of the dedicated vBrownBag group that held focused tech talks at VMworld. They have streamed these tech sessions live from VMworld for several years, but this year the sessions were listed in the conference schedule builder and attendance exploded at the vBrown Bag Tech Talks.

Many of this year’s VMworld tech talks will be posted on their YouTube channel. Visit vBrownBag.org for details.

“VMware is applying security in two areas, its own infrastructure and cloud infrastructure,” Jon Oltsik, senior principal analyst at ESG, told Mission Critical. “In this way, AppDefense complements traditional static security controls.”

“[NSX Cloud is] a good move for VMware controlling cloud and ESx policy and network segmentation centrally. The challenge is for organizations who are more aggressive with cloud and not as active with ESx,” Oltsik said.

“We do intrinsic digital security for the new digital enterprise. IT infrastructure is no longer held in the four walls of the data center. The infrastructure is everywhere. That is what our customers are facing now and we have a footprint in this entire infrastructure. We can help simplify and consolidate the way customers approach security,” said Chris Campbell, director, security solutions, VMware, summing up the company’s approach to the cloud.

Videos of the top sessions of VMworld are now posted at http://bit.ly/2wQaWbe.

Powered by WPeMatico

Now’s the time to do deep learning in the cloud

The AWS Re:invent conference is coming up, and predictions are starting to fly around what Amazon Web Services will announce there. A sure bet is that it will announce some sort of deep learning cloud service. Of course, Google, Microsoft, and IBM won’t be far behind; indeed, both IBM and Microsoft have their own special deep learning projects in the works, called Brainwave and Distributed Deep Learning, respectively.

So, what’s the difference between machine learning and deep learning? Simply put, machine learning typically deals with tactical applications of AI, such as making instant predictions. Deep learning provides a foundation for the understanding of massive amounts of patterns or data.

To read this article in full or to leave a comment, please click here

Powered by WPeMatico