Hi, folks, Ed Amoroso here.
And in this video, I'm going to call this part one of learning to do
an advanced hybrid security cloud architecture.
So this is pretty advanced stuff, you're going to like it.
Now let's start with the basic premise that you have four
virtual internal workloads that sit inside your perimeter.
And when I say virtual,
I mean that it's software, these are applications that are running.
They sit in your data center, they sit on your servers, but they can more or
less be moved.
These are capabilities like email and remote access and so on.
So let's start with the premise that they sit in your enterprise and
that your perimeter is leaky, right?
It has the ability for hackers to get in and we don't like that.
We want to kind of move from this to an environment where
each of these quote unquote, workloads or assets,
are their own sort of self protected entity in some cloud.
So want to go from this diagram that you see on the chart here where
I've got an oval showing the parameter with the brakes in it and
four internal assets, to something that we think will be more cloud-like.
So let's start by, we'll just sort of redraw it to the left of the picture here
showing the same thing.
And I'm going to start by selecting one of the workloads here called outsourcing.
So maybe you have a gateway that all your outsourcing vendors come in and hit, and
they put information or whatever they do as outsourcing providers.
And normally they come into your enterprise to do that, but
what do we want to do?
Ta-da, we're going to move that thing into some cloud-based virtual data center,
that VDC in the diagram.
It gets you to move the outsourcing workload out there, and notice we were
able to actually clean up the enterprise perimeter rule set a little bit.
There used to be a rule that we needed to support outsourcing.
Guess what, I don't need that rule in the legacy enterprise.
Hence, my firewall for
the legacy enterprise actually improves because I've moved something.
Now how am I going to protect that thing out in the virtual cloud,
well let's build a micro-segment around that.
And the micro-segment, again, is a shrink wrapped,
sort of visualized container that we use for the outsourcing workload
that includes whatever security functions you think are necessary for that.
So we've now moved one workload out to the cloud.
Let's pick a second one, how about email?
We're going to take the email, and you can see in the diagram a little
arrow that says, Email Gateway to an opening in that perimeter.
As we move the email workload to cloud, watch what happens to that little opening.
It closes, you see?
The perimeter actually becomes simpler as we move the workload out to cloud,
and now how are we going to protect the email workload in cloud?
Boom, build a containerized micro-segment around that.
And notice, that could be the same cloud as we used for
outsourcing or it could be different.
In fact, it'd be better from a resilience perspective if these things are in fact
different.
Let's take a third workload, Partner Gateway.
This is maybe, a lot of business partners that are coming in and hitting some
server that authenticates them and provides them with financial data.
Maybe they get paid through this gateway, who knows?
But I'm going to do the same thing and again,
notice the arrow points to an opening in that perimeter.
Boom, I move that think up into cloud,
I can simplify the legacy enterprise firewall perimeter.
I've moved it up into a third cloud, built a containerized micro-segment around it.
And now look what I've done here.
I've got basically four workloads.
Look, I'm going to leave Internal Asset alone because we all know
that they're going to be applications in systems that you're not
going to be able to move to cloud.
So by doing all of these operations, my enterprise,
the legacy enterprise, in a sense, becomes its own hosted cloud.
Your enterprise then takes on the characteristics of a public hub because
let's face it, to anybody that you're working with, you look like a cloud.
If they're hitting you, then you're a cloud.
So let's just sort of reorganize the diagram here a little bit.
Let's move that thing over,
let's refer to the legacy enterprise now as hosting a workload.
We can kind of simplify it once more, and look what we've done.
We've gone from four workloads that sat inside a perimeter, and
we've now built micro-segmented protections, or in the case of our legacy,
we've simplified the perimeter that had existed before.
We left it in place, but we made it better,
because each time we move a workload out, we can simplify the rule
set that supported that workload that has now exited.
And if I do that enough, the enterprise perimeter actually gets better.
And I end up here with four workloads,
three newly hosted capabilities and containers,
one legacy workload that stays behind with an improved enterprise perimeter.
And this is the base on which we can continue doing some design work.
Now we call this part one because I wanted to get to the stage and
just make sure that you sort of understand how we go from perimeter
to a bunch of workloads with micro-segments.
Clearly it's A, right?
Because the other three just are just not right [LAUGH] and
certainly moving legacy apps, some legacy apps may not move.
But micro-segments certainly can be created around
workloads as mini-perimeters, that's the answer to that one.
So we use this as a base in some sense on which to do
subsequent design work in part two of our investigation
of how we build highly secure architectures in hybrid cloud.
We'll see you in the next video.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
