In this interview, Hemma Prafullchandra, HyTrust chief technology officer, talks about the challenges operations teams face when transitioning to a software-defined data center (SDDC) infrastructure and the importance of building in tools to make the transition easier. Having helped many enterprises over the years close the security and compliance gaps created when moving to a virtualized infrastructure, Prafullchandra brings a unique perspective to the discussion around how to learn from those initial virtualization projects when moving to an SDDC. Prafullchandra highlights specific solutions from Intel and HyTrust that the IT infrastructure team can implement to make the job of transitioning to an SDDC easier for the operations team.
SDxCentral: Let’s talk about the operations/infrastructure IT team. Why is it important to think about them when designing an SDDC infrastructure?
Prafullchandra: Moving from a physical to a virtual infrastructure creates change and has the potential for introducing risk. These changes range from tooling, to processes and even personnel skill requirements. We all know that the operations team is at the front lines of incident response when something goes wrong. At HyTrust, we work with organizations every day to help them navigate through the potential security and compliance risks created by the move to SDDC, and enable a level of control and visibility of the IT Infrastructure allowing operations to achieve speedy resolution to incidents.
Going beyond the virtualization of compute, network, and storage functions with an SDDC, the use of a hybrid cloud is an even bigger move. When these IT initiatives transition from design, planning and implementation to production, operations takes the lead. Now, the operations team is no longer in control of some aspects of the infrastructure a situation made worse by limited visibility. It’s critical that operations understands the controls available to them and the nature of the responsibilities they share with their counterparts at their cloud service provider.
What are some of the challenges that operations teams face when moving to a SDDC?
Prafullchandra: For operations, moving to an SDDC architecture has the potential of adding more work to their already full plate. Shifting from physical to virtualized systems requires them to change how they monitor, manage and maintain the new infrastructure to comply with company security and regulatory compliance policies. They also need to help security and GRC teams achieve their goals of keeping the functional IT teams in their swim lanes, such as the networking team, while working in the virtualized infrastructure. On top of all this, operations has to make sure that they meet the business SLAs and the requirements for system availability and scalability.
Finding ways to make sure operations is working efficiently – and not responding to unnecessary fire drills – is key. Prevention of the accidental incidents is a sign of maturity over just detection, and frees them to work on more business critical projects.
Prafullchandra: Absolutely. I speak with operations leaders regularly and they are very concerned about data security, breaches, and shifting regulatory compliance policies – including Safe Harbor. Configuring and operating mission critical workloads to function in an SDDC infrastructure is still new to them – and small errors could have big security and compliance consequences.
Teams that use “intelligent workload security” understand that they have tools to build tag-based (to their classification) access controls, automatically align with existing regulatory policies, and quickly run compliance-ready reports. This significantly helps standardize provisioning and automatic scaling.
When our customers use HyTrust solutions with Intel Cloud Integrity Technology it lets operations keep sensitive data online and secure, with data encryption and advanced key management that allows the enterprise to maintain control of the encryption keys instead of the cloud provider. The company stays compliant, data is protected and operations can maintain service levels.
What are the key security and compliance elements that need to be in place to improve operational control in a cloud environment?
Prafullchandra: At the end of the day, people manage IT and people can make mistakes. Simple mistakes like pushing a broken line of code into production can have major business implications: Lost revenues, lost customers and damage to brand reputation.
Operations must have tools to prevent and/or quickly react to issues – whether they’re caused by an innocent error or disgruntled employee — tools that enable well defined policies and enforcement.
The pressure to produce results quickly in today’s IT environment can lead to unintended errors with far-reaching effects. For example, a media company pushed some code with errors into production that brought down a highly profitable live-streamed sporting event. That operations team was scrambling to identify root cause.
Intelligent workload security improves the ability for the operations team to define and enforce policies that ideally prevent the commonplace accidental changes in an SDDC infrastructure, and allows operations to focus on actual threats, and genuine failures in the environment. Having rich log details of attempted access and changes performed in the environment helps pinpoint the root cause of downtime and degradation, allowing them to reduce the mean time to recovery. Implementing secondary approval for mission critical workloads helps operations ensure that only authorized changes take place on production systems, as peer or supervisory oversight is automatically enforced.
What are some of the elements that can be built into the SDDC infrastructure to make the transition easier for operations?
Prafullchandra: The IT Infrastructure team should focus on what will best help operations support the needs of the business during their planning process. Yes, you can bolt-on tools later but this has two dire consequences: a) in the interim period all risks have to be assumed; and b) the design and architecture of the eventual SDDC results in tools that are only partially integrated. Making the investment upfront to incorporate or “bake-in” intelligent workload security into the infrastructure will provide operations better visibility into the root cause of unexpected downtime and accelerate rollback processes. It will also help them simplify audit response for compliance sensitive workloads and retain control over their applications and data with data encryption and advanced key management capabilities.