Protection in the ‘Data Path’ for Security across Hybrid Environments
Bracket Computing, the hot, highly funded hybrid cloud security platform company, today announced extensions to its “Computing Cell” cloud workload protection platform, a container-like “bubble” that enables “fluid” data security stretching across multiple computing environments – be it on-prem, data center, private or public cloud.
The company, formed in 2011 and a magnet for more than $130 million from investors, released the initial version of the Computing Cell in October 2014 and now boasts Goldman Sachs, Wells Fargo, General Electric and DirecTV among its customers. Attracting this attention is the Metavisor, which is at the heart of the Computing Cell and which Bracket calls an advanced form of virtualization that runs between the guest operating system and the hypervisor of the cloud underneath. Sitting at this point in the software stack — in the “data path” — the Metavisor allows customers to insert security services transparently for production workloads without changes to the guest operating system or applications.
The three new services announced today by Bracket expand the Computing Cell to provide transparent encryption of all data in motion (in addition to data at rest), along with extended “cryptographic assurance” and application and data segmentation, enforcing data-centric policies for access to individual workloads.
In addition, Bracket said, the Computing Cell offers a distributed control system that runs either on premise or in the cloud, as well as a set of reporting and logging capabilities to give visibility into protected workloads.
Industry watcher Gartner Group has placed Bracket, along with Mesosphere and ZeroStack, as three “Cool Vendors” driving bimodal cloud infrastructure, stating that Bracket “offers a secure cell or a secure bubble around a runtime environment when looking to migrate between providers.” Bracket’s “virtualization and security technology allows IT organizations to deploy workloads across and between clouds with one consistent set of advanced security controls,” said Gartner’s Philip Dawson, vice president of research. “This allows businesses to drive optimal deployments between on-site servers and cloud-hosted environments.”
Enterprises are increasingly moving workloads to the public cloud, but moving machine images – the blueprints for the creation of virtual machines – to public clouds raises security risks because the images pass through processes controlled by the cloud service provider. The Computing Cell addresses this with an “end-to-end chain of custody” that isolates a complete workload, including the application, the runtime or OS, and the associated controls like firewalling, networking, encryption and data management. Bracket said it can be deployed across bimodal clouds, such as VMware-based private clouds and public clouds such as AWS and Google Compute Engine.
“With our architecture, we give the customer a single set of controls that are consistent and advanced, running across multiple clouds,” Bracket CEO Tom Gillis told EnterpriseTech. “It allows customers to think about clouds as pools of capacity and they can pick and choose the best pool of capacity based on the needs of a particular workload. We level the playing field in that whatever cloud you want to run we provide one set of security controls to it, and this allows the enterprise to implement a hybrid cloud strategy much more fluidly.”
Gillis said Bracket’s approach differs from most security strategies, which are based IP addresses. “You use the native controls of the provider underneath you, which usually have gaps, so you’d be doing segmentation using firewalls, which are typically based on IP address, and that gets very complex very quickly.”
He said Goldman plans to use Bracket to deploy a strategy in which some workloads run in their private clouds while others will run on any of several public cloud providers.
“The challenge from the customer standpoint,” Gillis said, “is that in a hybrid world, each one of these different clouds has a different set of security controls. It’s not that one is better than the other, it’s that they’re different. It means you’re using one set of firewalls on your East Coast data center, and a different set of firewalls on your West Coast data center. It’s possible to do that, but no one’s going to do it because it creates operational complexity, and complexity is the enemy of security.”
He said another technical innovation in the Computing Cell is the use of encryption for asset assurance and application and data segmentation. The Computing Cell’s built-in encryption is always on to ensure that all data is encrypted.
“The Computing Cell optimizes the encryption so it is very high performance, and uses a form of encryption that is authenticated,” said Gillis. “This ensures that data at rest has not been tampered with or modified in any way as a result of data corruption or malicious acts.”
With universal encryption, a key must be released when a server or a data volume is accessed, he said. “This is the point where Bracket enforces a company’s policy. Each time a key is accessed, the policy is checked: What application is accessing this data? What country is it residing in? Is it facing the Internet or is it only internal? By using key release as a point of policy enforcement, policies follow the data. If a data set is copied, backed up or moved, the policy moves with it. The policy is fully decoupled from physical infrastructure, and does not rely on traditional IP address segmentation or physical boundaries — allowing application and data access policies to span hybrid clouds easily and flexibly.”
Gartner’s Dawson said Bracket’s always-on encryption lets customers set policies around data and applications, “which creates a robust and simple-to-manage microsegmentation.
“Bracket's abstraction allows security policies to follow services across platforms without requiring any change or modification. This allows DevOps to reduce migration complexity, as portability and identity are kept within the Computing Cell — like a bubble. The Cell allows security functionality and the ability to store cryptographic keys on-premises as mandated by the ultra-strict data regulations.”