In 3 sentences: IT leaders are increasingly adopting hybrid cloud solutions to gain benefits like flexibility, innovation and cost savings while also addressing security concerns. A survey found that nearly half of organizations use a hybrid cloud approach and security technologies can help mitigate risks when applications and infrastructure span internal and external services. Experts recommend integrating existing security solutions and establishing processes when collaborating with cloud providers for a comprehensive security strategy across hybrid cloud environments.

1. Market Pulse
reaching for the Cloud
It leaders cite benefits, downplay security as they
move applications to the cloud.
Will security worries be the undoing of cloud adoption? Not likely, given other,
more pressing threats like device theft, mobility and IT consumerization. And with
new technologies able to mitigate the real and perceived risks inherent in hybrid
clouds—the combination of internal and external services—IT leaders say they
see opportunities to up the ante on security for greater end-to-end protection.
“It’s possible to do as good a job securing the cloud With advantages to both approaches, a hybrid cloud
as the local infrastructure, but it is more likely that strategy is increasingly becoming the preferred option.
someone else has better economies of scale and In fact, 47 percent of those surveyed by IDG are using
the specialization needed to help do it better than at least one application and/or a portion of their com-
you ever could,” says Chris Shull, director of informa- puting infrastructure via a hybrid cloud model, while
tion technology for the Jewish Federation of Greater another 53 percent plan to do so in the future.
Philadelphia.
Those users confidently point to the top-line gains
IDG Research Services recently conducted an online from hybrid cloud deployment, including greater
survey of 122 business and technology leaders across market flexibility, improved business continuity and
a range of industries to gain a better understanding of innovation, superior customer service, a stronger
cloud security trends. Among its conclusions: competitive edge and expanded revenue opportunities.
n Security for the cloud is a concern, but it is not as They also cite bottom-line efficiencies such as reduced
troubling as other data threats. resource waste and savings on the CapEx front (see
figure 1).“My executives are thrilled to have more
n Nearly half of those surveyed use or plan to use
features and capabilities, greater accessibility and bet-
a hybrid approach to managing security for cloud
ter security, all at a fraction of any reasonable cost one
environments.
could put on in-house systems,” Shull says.
n A number of technologies are being deployed to ad-
Still, many IT professionals are reluctant to relinquish
dress security concerns, including integrating the exist-
management responsibility to outside parties. “Hybrid
ing security infrastructure into cloud environments.
cloud implementations effectively straddle internal and
public infrastructures, and can introduce complexi-
Embracing the Cloud ties,” says Martin Capurro, director of Applications and
IT service models are evolving at record speed, though
none faster than cloud computing. CIOs everywhere
say they are considering the merits of the cloud com-
pared to traditional on-premise delivery. Specifically,
they say, cloud models enable enterprises to leverage
third-party expertise and more attractive economics,
while on-premise services offer greater control.
WP101366 12/10

2. Market Pulse
Benefits of a Hybrid Cloud Approach survey respondents considering cloud
security to be a significant risk. Seventy-
Greater flexibility to react to
changing market conditions 51% five percent consider lost or stolen devices
Reducing resource waste 48% to be a significant security risk, 65 percent
fret about IT consumerization, and 56
Enabling business continuity 47%
percent worry about mobility.
Savings on CAPEX 43%
All said, only 40 percent of the technol-
Enabling innovation 37%
ogy and business leaders surveyed are
Improving customer support
or services 34% extremely or very confident that their
Gaining a competitive/ 25% security infrastructure is prepared to pro-
information edge
tect data in the cloud. And that has them
Expanding revenue opportunities 19%
weighing their cloud security options: Is it
Other 8% better to own all aspects of security or to
Don’t know 3% Source: IDG Research, October 2010 outsource the whole function? On-premise
implementations offer a single security au-
thority, more control over data protection,
full visibility into one’s risk and compliance
Infrastructure Solutions for Qwest, a network services posture, and less complexity. Managed services, on the
provider based in Denver. Working with two separate other hand, release CIOs from the financial and man-
infrastructures, CIOs must coordinate efforts, commu- agement burden of in-house solutions while enabling
nicate and even share data with their cloud provider. them to leverage the security resources and expertise
What’s more, today’s fluid perimeter—pocked with of a third party.
mobile devices and social networking sites—becomes
“In biology, hybrids are often bred to gain the best
harder to monitor in a hybrid environment.
features of multiple breeds,” Shull says. “So is the ad-
vantage of combining multiple technologies to ensure
Sorting Out Security better security.” Some 45 percent of the survey respon-
Those issues eventually give way to the nagging dents agree, indicating they prefer a hybrid or mixed
security concerns in the cloud, the greatest of which approach to cloud security. With a mixed security
is the protection of sensitive data. Survey respondents model, CIOs can maximize the advantages of managed
are most focused on preventing data leaks, setting and security services while maintaining control over their
maintaining security policies, managing data access, critical data protection strategy.
preventing intrusions and maintaining compliance (see
figure 2). And those risks can be compounded by a Outsourcing to a third party can also be an afford-
dual environment. “A threat in one environment could able way to add security capabilities when budgets
permeate the other,” explains Troy Herrera, enterprise are tight. Of course, there may be challenges in terms
marketing director for Juniper Networks, a network of visibility and the ability to enforce security; but,
infrastructure provider based in Sunnyvale, Calif. A by working together holistically, communicating, col-
hacker who gains access to a cloud application, for ex- laborating and sharing reports, the internal-external
ample, could make his way into the enterprise network, partnership can prove very beneficial.
while an error in access control rights on the corporate
network could affect cloud application security.
Integrating Internal with External
Yet the security of the cloud does not appear to be “A service provider can complement what you’re doing
as pressing as other threats, with only 49 percent of and even enhance protection,” Herrera explains. “The
2

3. Market Pulse
Cloud Security Concerns to extend the network into the cloud.” Of
course, the networking component is still
Preventing data leaks 61% evolving. Today, it’s all Internet-based, but
Setting and maintaining security policies 56% eventually the cloud will be delivered on
different fabrics, such as Ethernet. That
Managing access to data 54%
will enable technology leaders to create,
Detecting/prevent intrusion 52%
deploy and manage their infrastructure as
Keeping compliant with data retention 52% they have in the past, and thus maintain
laws and regulations
the desired level of security, performance
Encrypting data 49%
and control over operations.
Backup and recovery 49%
It’s equally important to establish process
Detecting/prevent viruses and spam 48%
integration. Setting up procedures by
Managing patches 36% which partners can share reports and
logs is critical, as is agreeing to common
Source: IDG Research, October 2010
escalation procedures, security policies
and compliance milestones.
key is to implement the proper security measures with Still, some level of separation can be advantageous:
the goal of achieving end-to-end security, and to be “Keeping the multiple parts of our hybrid and multilay-
cognizant not to weaken security along the way.” ered defenses disconnected adds important indepen-
dence and resiliency to them,” Shull says.
One of the IDG survey respondents concurs, advis-
ing that CIOs “start by extending existing capabilities
into the cloud.” Security has long been integral to
Investing Wisely
As for specific technology integrations, CIOs have
internal infrastructure, and those investments should
zeroed in on the most pressing hybrid cloud security
be expanded into the cloud. Some 82 percent of
concerns. Most respondents—about 80 percent—say
respondents agree, saying interoperability with existing
they have already implemented anti-virus, spyware,
security solutions is very important.
spam filters and VPN technology. Web filtering, intru-
Many security solutions can work together, whether sion detection, network access control and firewalls
on-premise or in the cloud, Herrera adds. For example, are nearly as popular (see figure 3). “These core tech-
an in-house network access control solution can nologies have been part of IT for a while,” Herrera says.
identify users by communicating with an outsourced “Now CIOs need to focus on upgrades to accommodate
VPN. A Web services application secured in the cloud the changing environment and performance shift that
could store underlying data in an internal SAN. And a come with cloud infrastructure.”
service provider offering can federate with the internal
New technology investments are critical as infra-
environment to protect and enforce identities. CIOs
structure becomes more complex. The top priority for
just need to coordinate with their vendors to ensure
50 percent of respondents going forward is security
interoperability.
incident and event management (SIEM), which offers
Part of that process, Capurro suggests, involves inte- crucial visibility into event anomalies and provides a
grating core infrastructure elements with the cloud centralized portal in which to view logs. Data loss pre-
environment—including the network. In fact, one vention and identity and access management (IAM)—
respondent cautions technology leaders to “make sure which can work in conjunction with one’s NAC solution
that the hosting provider has a clear strategy for how to protect data and enhance access control—were also
3

4. Market Pulse
cited as likely investments in the coming year.
A Few Words from Capurro believes IT professionals should put more
Your Peers stock in service level agreements as well. Cloud envi-
ronments must provide not just scale and flexibility, but
The right approach to securing a hybrid cloud
also performance assurance, including speed and avail-
infrastructure can quickly dispel any lingering
ability. Application performance management solutions
doubts about data protection. Some of the IDG
can supplement those agreements and give CIOs the
survey respondents offer the following advice:
visibility they need to monitor platform performance.
Do the proper planning. “Understand your Provisions must be made for data portability in terms
company’s current needs as well as those for of moving and retrieving data.
the next five to 10 years. That will save you
time and effort as well as money,” says one
respondent. CIOs are advised to take their time The Bottom Line
and think holistically. Others suggest engaging Since moving certain critical business applications,
in a third-party security audit, site inspec- including e-mail, to the cloud, Shull says he is “enjoying
tions, penetration testing and piloting before better security” than he could provide in-house. The
deploying any solution. And always read the IDG survey respondents already using cloud services
fine print, they say, especially in service level agree: They expect hybrid cloud implementations to
agreements. enhance security through improved service perfor-
mance, 24/7 support, higher levels of expertise, a reduc-
Shop for the right partner. “The cloud is as dan-
tion in dedicated security staff resources and lower
gerous as posting your data to Facebook if you
have not done a security review of the cloud security management costs.
vendor,” warns one respondent. CIOs should So can CIOs really trust the cloud with their most criti-
make sure they know who they are dealing cal data? “Absolutely,” Herrera says. “You just have to
with. Understand not just the vendor’s security be smart in its management.” So go ahead and reach
practices and infrastructure capabilities but
for that cloud—and its silver lining.
also their long-term plans and financials.
Partners should be well rounded, with multiple
offerings and expertise in transport as well as
About Juniper Networks
security products. Juniper Networks is in the business of network innova-
tion. From devices to data centers and consumers to
Choose solutions carefully. “Use only trusted
cloud providers, Juniper Networks delivers the software,
solutions,” advises a respondent. When it
silicon and systems that secure infrastructure and trans-
comes to infrastructure, CIOs must evaluate
form the economics of networking. For more informa-
an offering’s scalability and performance.
Establish a “trust zone” for data protection, tion, visit (www.juniper.net).
and inspect data center facilities. Technology
solutions should be geared toward longevity—
About Qwest
consider open-standards approaches to Building on unparalleled network services, Qwest helps
ensure interoperability with new technolo- businesses leverage existing and emerging technology.
gies. Look for manageability and operational In addition to services utilizing over 173,000 network
simplicity. And whenever possible, strive to miles, Qwest has technology and expertise that extends
consolidate multiple security solutions onto a to broader applications and technologies. For more
single platform. information, visit (http://www.qwest.com/business/
solutions/why-qwest/list.html
4