A better model for cloud security

How Bracket Computing uses full workload isolation to secure the hybrid cloud without disrupting developer workflow

A better model for cloud security

The self-service delivery model of the public cloud brings many benefits, but of course undermines the traditional IT server provisioning model. Now that developers can allocate resources themselves with the swipe of a credit card, enterprise security teams have their work cut out for them.

How can IT security teams enable their organizations to harness the cloud’s flexibility and virtually infinite scale while maintaining control over corporate IT and data? This article explores the challenges enterprises face in enforcing security policies on the hybrid cloud, as well as the architectural solution Bracket Computing offers to address those challenges. 

Hybrid cloud challenges

Enterprises are encountering three primary challenges as they adopt hybrid cloud environments.

First, hybrid cloud means hybrid complexity. The heterogeneity of cloud service providers’ offerings creates massive complexity for teams trying to interpret and enforce the same set of security policies everywhere. Agents and virtual appliances can be unwieldy and difficult to manage, and segmentation rules can create traffic jams or allow too many actors in. Data and workload portability compound these risks, as does the increased likelihood of human error (for example, data inadvertently stored publicly).

For small companies without regulatory restraints and one environment, this complexity can be mitigated. But for IT organizations that need consistent key management (across clouds, but also across multiple regions within a single provider) or independence from infrastructure providers, this complexity is difficult to overcome.

Second, protection is incomplete. In the data center, security policies for identity access, network, and storage typically tie to infrastructure. Network policies are implemented using VLANs, subnets, and ACLs tied to IP addresses. Protecting assets typically relies on limiting network access to the storage hardware rather than protecting the data itself. But as the datacenter becomes increasingly hybrid and enterprises lose control over infrastructure, perimeter and network defenses become inadequate. Microsegmentation offers additional protections, but the network is only one part of an enterprise workload.

Without physical control, IT security needs to find other ways to establish logical control over workloads deployed on the cloud.

Third, ensuring transparent, provable control is a headache. Adoption of hybrid cloud expands the scope of audits, as IT must manage various security postures. Establishing visibility and proving control across multiple environments is difficult, with limited opportunity for IT to know how and where data is accessed.

Further, for firms subject to specific regulatory concerns (e.g. HIPAA), provider-offered encryption often raises objections. Proving control over data is essential to most audits, but hard to ensure on hybrid cloud.

Finally, preserving separation of duties between IT and development organizations without breaking the cloud’s self-service model is difficult. IT security must either deliver rigorous separation of controls, interfering with developer self-service procurement to secure resources, or enable agility within development teams but risk the controls being turned off by the teams configuring infrastructure resources.

Transparent cloud security

Bracket Computing offers full workload isolation software designed to address these challenges and enable enterprises to run workloads securely in hybrid cloud environments with a single set of advanced IT security controls. Bracket delivers crypto-enforced micro-segmentation, that includes always-on encryption of data at rest and in motion with customer-controlled keys, data and runtime integrity monitoring, and auditability and forensics capabilities that capture memory at the time of breach.

Bracket works across on-premises VMware clouds, as well as Amazon Web Services, Microsoft Azure, and Google Cloud Platform. The Bracket solution’s enforcement mechanism is a lightweight virtualization layer, called the Metavisor, that not only provides granular controls over network, storage, and compute, but allows these protection services to be inserted and audited transparently, with no impact to developers or data center operations teams.

The Bracket architecture is defined by the following four attributes:

1. Security is delivered transparently via lightweight virtualization

Security policies should be enforced transparently in cloud environments. Just as users are unaware of TLS/SSL in browsers, developers shouldn’t notice security at work. Using virtualization to enforce policies offers this benefit, unlike agents and virtual appliances, which can be misconfigured, incur performance penalties, be turned off by malware that accesses the host, or create chokepoints.

Instead of relying on a traditional delivery method, Bracket developed lightweight virtualization technology, called the Metavisor, to provide controls transparently, without any modifications to the guest OS or applications. Running between the guest OS and the cloud hypervisor, the Metavisor virtualizes I/O only, rather than the whole workload. This allows it to step out of the way when applications are executing. But when a call is made to the storage system or the network, the Metavisor intercepts the call, inserting security services. This allows production workloads to run securely and without significant performance penalties.

Because the Metavisor resides in a separate memory space from the guest OS, it provides the transparency and immutability of a network-based solution while leveraging a one-to-one relationship with the host. 

2. Security is attached to full workloads, not infrastructure

Bracket allows enterprises to write microsegmentation and compute policies on the basis of Bracket tags that are associated with resources, be it data, network links, or instances. Tags are already used on AWS and other cloud platforms, so use of Bracket tags fits well into existing cloud workflows.

These tags remain with assets if they are copied or moved. An example of a policy written on tags might be

Environments tagged ‘dev’ can communicate only with other environments tagged ‘dev’

Written like this, policies can be general like the above, or extremely granular, written to control specific ports, database hosts, or volumes. This provides IT security with policy enforcement that enables logical control over workloads in the absence of physical control, all without disrupting developer workflow.

3. Security is enforced cryptographically based on tags

Encryption of data at rest and in motion is always-on. Once resources are tagged, Bracket uses the Metavisor to cryptographically enforce any policies associated with those tags. Bracket manages and delivers encryption keys as allowed by policies, and includes the ability to decrypt disks or objects, boot instances, or talk to neighbors. When a key is requested, policies are checked and the key is released to the Metavisor, which implements the appropriate policies and allows access to the data. This yields automated, error-free policy enforcement, with the added benefit of always-on encryption that doesn’t impede developers or alter their workflow.

In any environment, but particularly across hybrid cloud, IT must deal with the risks of malware, malicious insiders, and mistakes. Crypto-enforced policies protect enterprises from threats, satisfying regulatory requirements for financial services, healthcare, and other large enterprises.

4. Security is implemented consistently across environments

IT organizations would not configure on-premises environments heterogeneously—for example, using Cisco firewalls exclusively in one data center, and Check Point and Palo Alto Networks products in the other two. Yet firms manage multiple sets of controls to enforce security policies across hybrid environments. This yields complications that not only create human error and increased risk, but also make auditing difficult.

Bracket’s solution allows enterprise controls to be enforced consistently everywhere developers work, minimizing IT’s operational overhead. It allows visibility across an entire enterprise system, with NetFlow and data access logs that fit neatly into enterprise audit processes.

Hybrid cloud adoption will continue to grow, driven by the needs of businesses for flexibility and scale. Without the ability to enforce a single set of controls across environments, IT security teams will have to deal with significant complexity and compliance issues.

With a full workload isolation solution like Bracket’s, security can ensure the scalability of cloud-based solutions, the host-based context of agent-based solutions, and the flat network appeal of virtual appliances—all in one solution. It is an architecture that allows enterprises to leverage the hybrid cloud, enforcing IT control without disrupting developer workflows.


Vinay Wagh is head of product at Bracket Computing. A veteran manager and product leader from Cisco and NetApp, he has extensive experience in virtualization, networking, and storage technologies as part of development teams for industry-leading products including NetApp Data OnTap and Cisco’s IOS-XR. Before joining Bracket Computing, Vinay architected the software and virtualization platform for the packet core gateways at WiChorus, and he remained through the Tellabs acquisition to lead and expand the platform to build multiple products.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.