The Best of Both Worlds: Building a Secure Hybrid Data Center with AWS

If you’re looking for a new car, you may be considering a hybrid – one that combines electric power for efficiency and mileage with traditional internal combustion to recharge the engine and extend the travel range. For many buyers, it is the best of both worlds, providing greater flexibility to extend your trip as needed. The same concept applies to a hybrid data center – one that combines your own, dedicated on-premises resources with the scalability and agility of on-demand compute, networking and storage resources such as those from Amazon Web Services (AWS).

As the insatiable appetite for compute and storage resources to support the business continues unabated, customers are using the public cloud as a way to augment their data centers more quickly and more efficiently than in the past. Initially, a hybrid approach was viewed as a step toward migrating all applications and data to the public cloud. In reality, many customers are settling on a hybrid approach as their new data center architecture.

In a recent conversation I had with a customer, two new physical data centers had just come online, and they were already over-subscribed. They were looking to AWS as a way to extend the life of their data center using a hybrid approach. When you think about it, a hybrid approach makes the most sense. First off, it allows you to start small and establish some guidelines around which applications and data should reside in the cloud. There will be legacy applications that cannot or should not be migrated. There will be data that, after careful internal analysis, does not belong in the public cloud. For new applications, you might look at adopting a simple cloud-first mentality that says: for new applications, look to the cloud as the deployment location. A more advanced cloud-first approach entails changing your application development methodology to one that is componentized, makes heavy use of APIs, can be updated rapidly, and can be deployed globally – in the cloud first.

From a security architecture perspective, a hybrid data center is an extension of your data center and therefore should be treated no differently than your physical data. This means that you should:

• Know exactly which applications are running in the cloud and whitelist them to ensure they are the only ones allowed in the cloud
• Segment the applications to control which can talk to which and limit lateral movement
• Enable applications based on the user credentials and the business need
• Apply threat prevention to block threats from accessing your cloud applications and data while also blocking them from moving laterally

When deployed in AWS, the Palo Alto Networks VM-Series can securely enable your hybrid data center, acting as an IPSec VPN termination point and as a virtualized next-generation firewall, protecting your AWS deployment with application control and advanced threat prevention. More advanced use cases include segmentation for added security and compliance purposes through VPC to VPC and subnet to subnet policies. In effect, you can mimic your physical data center security in AWS.

To learn more about how a hybrid data center with AWS might benefit your organization, check out these resources:

• SANS Webinar with Dave Shackleford: Know Before You Go: Key AWS Security Considerations
• VM-Series with AWS Hybrid Data Center Deployment Guidelines (includes sample deployment script)
• CSA White Paper: Public vs. Private Cloud Security Considerations