The Great Gig in the Sky: Secure Hybrid Cloud

January 10, 2017

Every day I hear from companies concerned and frustrated over a specific challenge -- how to stand up workloads in the cloud while maintaining privileged access security (PAS).

Infrastructure-as-a-Service (IaaS) has become the great equalizer. It doesn’t matter whether you're large or small, in finance, healthcare or government -- we all share the same worries when it comes to securing access to, and in, the cloud.


I was pondering this the other day while sipping a short, dry cappuccino and listening to Pink Floyd’s Dark Side of the Moon. I had an epiphany. Thanks to Roger Waters & Co, I walked away with a whole new perspective on PAS for the hybrid enterprise!

I’d like to share it with you, in the context of DSOTM and all the tracks on that very fine album. Shine on...

 The Great Gig In The Sky

The powers-that-be have decided to leverage the cloud. Your business currently runs from your data center, but they’re convinced the cloud is essential to better innovate, scale and compete. So, you (as the person tasked with security) are at the start of a journey to figure out how to manage privileged access in a hybrid on-premises and cloud infrastructure.

You have a little breathing room as Dev "plays" before a full-blown production roll out hits, but the clock is ticking...


From a business perspective, time is of the essence. Your competition is already down this path and threatens to outpace you. With IaaS, you're looking to quickly enable international reach, support cyclical customer usage patterns, rapidly spin up large-scale test and dev environments and reduce IT and operational overheads so that your organization can focus on business innovation. Compliance is always important but you're part of a new trend that values business agility above everything else.


In true “business imperative” fashion, you have a limited budget. Whatever you do, it has to be cost-effective. But, the first thing that comes to mind when you think “cloud infrastructure” is the need for new investment. This is not the same world as on-premises and you can't simply fork-lift things into the cloud.

Us and Them

Although the business decided to embrace the cloud, they’re more nervous than ever about cyber attacks. Will IT have less visibility over cloud resources? Cloud services are public; are they more exposed? Will I lose control? Given all of this, how can we realistically ensure the same (or stronger!) security controls for cloud-based resources?

On the Run

It's your job to figure all this out. And quickly. Are your on-premises security solutions obsolete? How can you seamlessly secure the two worlds? Will you need a new Active Directory forest with a one-way trust, or maybe just a read-only domain controller with replicated accounts for specific users in the new environment?

Lots of questions, IaaS concepts and deployment models to figure out. You’re chasing a goal that may seem out of reach. You’re on the run.


Don’t panic. Amazon recommends “Conventional security and compliance concepts still apply in the cloud” and “…you can architect and build a cloud infrastructure using technologies similar to and largely compatible with on-premises solutions.” That should make you feel a little better.

And there's more. We've expanded on these with our own security best practices. They're for Centrify customers who want to extend their on-prem Centrify investment to AWS.

Speak to me (me = Active Directory)

We understand not everything is simple and straight forward. In hybrid cloud situations, one massive problem is how to speak to Active Directory from the cloud. In AWS, how can your admins login to new EC2 Linux instances with their Active Directory credentials? You've got options of course; site-to-site VPN, a new Active Directory forest with a one-way trust, a read-only domain Ccntroller with replicated accounts for specific users of this new environment.

Definitely a complex problem. At our annual Centrify Connect Identity Conference in May 2016, I spoke to many customers struggling with this very issue. I'm jazzed to say that at AWS re:invent in November 2016, we announced a brand new capability of the Centrify Privilege Service to address this concern. It's called Centrify Identity Broker.

Any Color You Like

With Identity Broker, you can address these complexity and security challenges. You have the flexibility to choose where identities are stored -- e.g., Active Directory, LDAP repositories, cloud directories, and Google G Suite Directory. You also have freedom to deploy Centrify solutions on-premises or in the cloud.


In conclusion, do not think your vision of a hybrid IT infrastructure is obscured (eclipsed!) by concerns over security, complexity and a lack of modern cloud-ready technologies. Leverage your investment in Centrify and new innovations such as Identity Broker.

Brain Damage

Preserve the sanity of your IT, security and operations staff, as well as your partners, customers and internal end users. Head over to our AWS and Identity Broker pages for more information, including best practices recommendations and lab videos showing exactly how to do all this.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.