Risk and Compliance in the Hybrid Cloud

Risk and Compliance in the Hybrid Cloud

Actionable Insights for VMware and AWS



Managing risk and compliance in the hybrid cloud and across your IT environment is a never-ending task. Every day, software patches are released, new security risks are identified, and vendor recommendations are updated. Company boards, auditors and regulators all expect business and IT to be on top of these changes, with smooth running procedures meeting all policy requirements. How do we ensure that we are identifying, managing, and remediating these in order to effectively control the risks in your environment and in the cloud?

When it comes to understanding the core priorities for managing risk and maintaining compliance in the IT and cloud environment, Kev Johnson, Systems Engineer, Runecast and Robin Gardner, Strategic Services Director, Xtravirt have great expertise to share.

In this podcast we talk to Kev and Robin about the importance of monitoring to mitigate risk, best practices to ensure a healthy and optimized infrastructure and how Xtravirt and Runecast together provide solutions across VMware, AWS and VMware Cloud on AWS environments and the wider hybrid cloud market.

Listen to learn and understand more about:

  • 3:50 – Why are risk and compliance under the spotlight and what do you need to consider when it comes to cloud adoption?
  • 6:45 – Best practices and responsibilities
  • 7:49 – The impact of the COVID-19 lockdown on risk and compliance
  • 10:10 – How to identify a divergence from best practice. Monitoring across VMware on-premises and cloud solutions such as VMware Cloud on AWS. Monitoring tools such as Runecast Analyzer.
  • 14:50 – Benefits of continuous monitoring
  • 16:26 – How organisations can benefit from the partnership between Runecast and Xtravirt to protect their businesses, users and environments
  • 18:40 – The value of pro-active risk management and reporting

Author picture

Robin Gardner

Sales & Strategic Services Director

Author picture
Kev Johnson
Systems Engineer, Runecast

and your host

Author picture

Stuart Robinson

Digital & Creative Manager

Get it first

Sign up to the Cloud Insiders newsletter and get all new episodes before anyone else

Host:                Stuart Robinson

Guest KJ:         Kev Johnson, Runecast

Guest RG:        Robin Gardner, Xtravirt


Host:     Today we’re talking about some of the core priorities for managing risk and compliance in the hybrid cloud it goes without saying that this is a massive topic and today we just wanted to focus on how to get the basics right, what you can be doing to make sure that you’re configured correctly and managing your environment that best practise to reduce the attack surfaces.

Am I set up correctly what am I managing and what are the cloud host managing, how much control do I maintain? These are questions we should all be asking ourselves when connecting our private infrastructure to a public cloud and take on a hybrid solution.

But the journey doesn’t stop there, companies are constantly in the news owing to data loss or their infrastructure being compromised. How can we ensure that we’re not the next headline, where do the holes appear how do we patch them, and how do we stop them? Also every day, new rules and regulations are coming out of regulatory bodies such as the PRA or FCA, how can we assure that we are remaining compliant within our own industry? Do I need document this how can I prove what I’m doing?

I’m breaking a sweat just thinking about this but there are answers to all these questions and exceptionally positive ones at that. To help us get to the bottom of these we’re talking to Runecast creators of predictive analytics software for VMware and AWS, we’ll later be talking about how their tools integrate into VMware and AWS hybrid offerings in all forms including VMware Cloud on AWS.

From Runecast we are talking to Systems Engineer Kev Johnson, and we’re also talking to Robin Gardner Strategic Services Director at Xtravirt.

Host 1:43            Kev, if you could quickly give us a quick introduction to yourself and Runecast, what you do there and what is your monitoring.

Guest KJ 1:49     Sure firstly thanks for having me on the show it’s a great honour. I’ve been a big fan of the podcast for a long time so you know I can now tick this one off the bucket list. I’m Kev Johnson, I’m a systems engineer at Runecast so my job is basically to speak to customers and firstly hopefully get them to use the product and really highlight the benefits that we can bring to you but also make sure they get in there all of the benefits and feeding that back to our engineers and everything like that.

2:16       What we’re all about basically is we’re looking at the kind of residual risks that you have in your environment, risks of things like purple screens of death, risks where you’ve got hardware incompatibilities and things like that but also one of the other things that we’re really focusing on at the moment is regulatory compliance so security compliance baselines.  What we do is we deploy a little appliance into your environment, it doesn’t send anything out to the cloud or anything like that so it all runs on premises, from there were going to scan your environment for all of those risks I just mentioned but also we’re going to run some checks against there and say, for example you need to be PCI DSS compliant so we’ve got all of the checks that we need written into the product so that you can validate if you’re going to be PCI DSS compliant and not only get compliant but also to stay compliant because configuration drift is a real issue. That’s Runecast in a nutshell but we’re doing it for vSphere, were doing it for a whole bunch of other things as well as VMware Cloud on AWS,  and also native AWS services.

Host 3:15            Now Robin this isn’t your first time on cloud insiders but for anyone who doesn’t know could you give us a quick in a nutshell view of who you are and what you do at Xtravirt.

Guest RG             Hi there Stu I’m the Strategic Services Director for Xtravirt. My responsibilities include overseeing the strategic relationship with our core customers and also the oversight and growth of our managed services capabilities.

Host:                    thanks so much for coming on, it’s great to have you both here. My name is Stuart Robinson and I’ll be your host for this discussion and without much further ado let’s crack on.

Host 3:50            Robin if I come to you first, from a strategic standpoint why are risk and compliance under the spotlight, when it comes to hybrid cloud are they and should they be considered road blocks for companies on the road to cloud adoption?

Guest RG 4:03   A great question Stuart, so from a business and IT perspective we’ve got to make sure that we understand the technical and operational risks associated with those environments that we rely on. We need to make sure that we’ve got proactive and appropriate management of these risks in place to be compliant with our corporate standards and regulatory requirements that we are managed by, much the ones that Kev was mentioning earlier. Critically though we’ve also got to make sure that we can evidence that these controls are in place and effective.

In the old days it used to be the situation that having all of your platforms within the 4 walls of your own data centre was the safest option. And having a team that you could closely monitor being responsible for the operational activities for those services was the only way that you could feel comfortable that you were controlling those risks. All of this was based on the belief that your own employees would have a greater vested interest in protecting your business and as a result they’d be better at managing your corporate assets.

The situation isn’t replicated in a cloud environment and that means that your existing processes and controls can’t be evidenced in the same way and that ultimately can lead to a lack of trust of the cloud platforms and regulators and your internal compliance teams placing restrictions on how and where you use them. But that’s starting to change, regulators and organisational boards etcetera are now starting to warm to cloud as a way of supporting their business growth and they are increasingly recognising that cloud solutions often cover the basic risk scenarios, you know things like physical security, basic infrastructure configuration to at least best practise levels in the industry and that comes as standard. Too often this is a higher standard than a lot of organisations unfortunately achieve internally.

These attitudes are now accelerating and with COVID-19 pandemic that we just sort of coming out of lockdown from we saw many organisations that had existing cloud capabilities were able to grow around to these as part of their recovery strategy much faster than those organisations that just had legacy internal platforms reliant on the lead time associated with infrastructure delivery service being provisioned etcetera.

As we continue these moves to the cloud, key components of managing risks, at getting the basics right, we’ve got to have robust operational management and routine maintenance activities in place we’ve got to ensure that we manage in platforms in line with best practises because this is a core foundational dependency for almost all other risk and compliance activities.

Host 6:45            So I think we can agree quite a big topic there are and can you give me a bit more detail on these best practises and should that be applied continuously in a cloud environment, are these the responsibility of the business or does the cloud provider take care of those?

Guest RG 6:59   Well in a cloud environment the patching and maintenance of the underlying infrastructure or the SaaS software is the responsibility of it carried out by the cloud provider however as these updates are released, as new features get added or as new security risks are identified in the wild it is the responsibility of the customer to ensure that their configuration is secure that any patches that are their responsibility have been applied the new software versions are adopted and their best practises is still followed in line with the new requirements.

I guess without these activities being carried out is similar to leaving the front door of your house open and hoping that the fact you’ve installed video cameras will stop any property being pinched. Unfortunately all those video cameras are going to do is tell you which direction your property left in.

Host 7:49            We mentioned previously about the COVID-19 pandemic and Kev have you seen any change in demand since lockdown? Has there been an increase or have they gone quiet as the focus is to build business reliance or if there’s been an increase demand in hybrid cloud and similar solutions do you see demand yet to come as people seek to audit what they’ve done and how they did it?

Guest KJ 8:11     That’s a great question and largely what we’ve seen is 2 separate approaches. The first thing we saw as soon as we saw the announcement that there was going to be lockdown and that people were not going to be able to work from their offices was we had a fairly significant spike of demand from organisations that we’re having to do things like roll out remote working solutions things like VMware Horizon, I imagine you folks at Xtravirt will have seen a lot of call in that kind of direction so both on premises and also cloud based solutions because you know if you’ve got to deal with where are we going to find the servers, just to have 1000 people work from home who previously came into an office.

The other approach that we’ve seen is that a lot of companies unfortunately, I say unfortunately it’s obviously a valid way of managing risk, but what they did was they basically went into lockdown and they had a hard change freeze. So you know in that situation you’ve got a hard change freeze where three months down the line you’ve not applied any patches for three months any changes that you have scheduled that should have happened in these three months haven’t happened and obviously the baddies out there, they’ve been looking to capitalise on this so I’ve seen a lot of phishing attempts and things like that so you know making sure that everything is in a good solid state is difficult and especially once you know if you come out of three months of lockdown, all of a sudden you’ve got to kind of get to get back towards, and I hate this term, but something more of a new normal. We’re seeing a lot of these customers that are now going OK right we need to make sure our environment is sane, we need to make sure that any changes that we need to make are getting done but it’s difficult if you’ve not got that view in the 1st place or what it looks like.

So this this is definitely somewhere we’d recommend that you engage with highly skilled highly experienced technicians through organisations like Xtravirt, you can leverage the capabilities of Runecast Analyzer to give you if you a view of where your risks lie, how best to improve your posture.

Host 10:10          If we take step back and look how many people this is potentially affecting because it is affecting people’s demand and coming into 2020 I think around 61% of companies of all sizes that embrace some manner of hybrid cloud and 87% of enterprises embracing some manner of hybrid cloud strategy going forwards, but by many accounts at the end of 2019 only about 21% of technicians thought their organisations were taking their monitoring seriously, so Kev if we could come to you, where do you begin? How do you identify when and where things are diverging away from best practise. I mean this is where monitoring the hybrid cloud comes into its own, Runecast integrate seamlessly across both existing VMware on-premises solutions and VMware Cloud on AWS, their hybrid cloud offering. Does VMware Cloud on AWS have anything built in natively to ensure companies are minimising risk and running to best practises? How does Runecast amplify or simplify these features?

Guest KJ 11:11   That’s obviously something that Runecast were really keen on our ability to help with. So what we do is, we are constantly monitoring that environment so if you deployed Runecast Analyzer six months ago you’ve got every single point of information for that entire period, you’re not in a position where you’re relying on an annual audit so you have that period of okay we’re going to spend six weeks everyone tyres on fire, they’re throwing things out of the window you got to make sure you shredded all those documents but just getting yourself to a sane state is really difficult if you don’t know what your environment looks like in the first place so it’s really important to measure and that’s  kind of one of the things that we really tried to do.

So I guess that’s probably the best way to answer that question but you know when you’ve got workloads running on-premises and in places like VMware Cloud on AWS and in the native public cloud you need to be able to see your combined status across all of those platforms so you can’t just rely on one tool to do on-premises vSphere, one tool for VMware Cloud on AWS because if you mix all of that stuff up how do you draw the picture, how do you get the big picture so this is kind of where we come in.

So we provide that there’s assurance there for on-premises vSphere and NSX-V with NSX-T coming very soon, vSAN, Horizon and all of the other stuff there. I guess also where we’re kind of giving you best practises across the board, best practises from VMware, best practises from AWS but we’re giving you security compliance against the whole bunch of standards so at present we cover BSI which is a German federal standard which doesn’t necessarily mean that it only applies in Germany, CIS the Centre for Internet Security, DISA STIGS, so US military standards, HIPAA, NIST 853, and PCI DSS, so we do these regular scans we retain the details of those scans on the appliance and we provide you with that clear audit trail so you can see as soon as you start to drift out of compliance or when you do that you see that uptick so you’re drifting away from that baseline and from there you can kind of go OK right we only have a small amount of work to do to get back to compliance instead of we spent a year drifting out of compliance and now we’ve got a whole bunch of stuff to fix.

Guest RG 13:27                I see huge value for organisations in having that compliance report against the industry standards bodies, it just simplifies your regulatory compliance reporting and your internal reports to compliance and risk teams who aren’t necessarily familiar with or familiar with the bodies or trust you as an individual first.

Guest KJ 13:50                  this is actually one of the areas where Runecast really helps because you know there’s all kinds of monitoring tools out there and you know they’re really good at doing what they do but one of the things that we, as far as I’m aware, are unique in the industry doing is we take these scans that were doing and mapping the controls that the auditors created. These standards are written from a technology agnostic perspective they’re not specific to vSphere they’re specific to technology, so taking that information the language that is used is often very dry and it might be very non-specific, we then provide you with the information that says okay so in order to meet this specific control this is what you need to do, this is how you audit it, this is how you remediate it if you drifted away from compliance there.

Guest RG 14:34                I do love the fact that it gives that same report across multi clouds so I think that you mentioned AWS and VMware Cloud on AWS as well as the private data centre installations of the platforms as well then that’s a huge benefit.

Host 14:50          What are the benefits of keeping this continuous focus on the status of your environment?

Guest KJ 14:55   I kind of covered this a little bit earlier but basically in the traditional model you would have an annual audit so if you had to be HIPAA compliant you’d have some auditors who will come in and ask a whole bunch of questions they try to retrieve documents from your bins they try and tailgate your stuff into your offices but from a technology perspective you know doing that once a year doesn’t work. Change is now pretty much the only constant in the industry so with this ability to see immediately as soon as you start to drift away from your desired state, you’re then in a much better place to remediate rather than okay we’ll have this slight drift away over the course of a year and all of a sudden we’ve got 4000 things that we need to do in order to get back to an audit ready state; you have the auditors come in they go okay yeah rubberstamped yes you passed or even worse sorry you have some other actions that you need to take to remediate this, we’ll come back again and we’ll bill you again. But yes if we can keep those changes as small as possible so that you can remediate them as soon as possible then it’s going to make your life significantly easier

Guest RG 15:58                I think the key thing on that Kev, is with an audit engagement or compliance engagement you don’t necessarily have to have remediated everything absolutely but if you can go in with a management identified understanding of all of your gaps and an action plan associated with them it puts you in a much stronger position with your auditors to be able to defend your approach and the position that you are in at any point in time.

Guest KJ 16:23  forewarned is forearmed and all that

Host 16:26          So what I’m hearing there is VMware give you all the tools to keep you sane and Runecast are there trying to keep you running and optimise but now that we recognise the risks and we know what the additional benefits of monitoring your hybrid cloud are, is that the end of the story? How are Xtravirt and Runecast working together to protect you, your business, your users your environment down the line? How can businesses push further and evolve faster by utilising this partnership?

Guest RG 16:55                As Kev mentioned earlier a lot of organisations have been making changes as a result of COVID-19 recovery actions and we’re seeing a lot of health checks and audit engagements to confirm the robust nature or security of those implementations and we’re expanding the use of Runecast in those solutions. But alongside that we continue to see a lot of interest in growing VMware Cloud on AWS to expand on-premises VMware solutions and huge potential for rapid deployments with horizon digital workspace and Workspace ONE. We’ve recently been recognised by VMware for these implementations and personally from a managed services perspective I see huge value in the insight that we’ll get using Runecast or we’re starting to get using Runecast in those solutions that guide our platform maintenance priorities for those managed services customers and we’re also using it to enhance our risk and compliance reporting that we proactively provide to them as part of our service management engagement.

Guest KJ 17:59                  That’s actually a great point as well so Runecast can provide you with a great deal of insight into the risk in your environment as well as details of what you need to do to resolve them so you know it works as from an end user perspective but we’re also seeing a lot of value and a lot of demand from service provider side of things too so we recently introduced a feature called enterprise console this allows people like yourselves at Xtravirt who provide this kind of multi- tenant monitoring capability to their managed services customers so you know you can see everything and you can see very quickly as soon as your customers start to inherit extra risk in their environment and you can take the actions from there so there’s a lot of value in that as well

Guest RG 18:40                that’s great Kev that’s been really helpful for us and the other area that we’re exploring is the value of this compliance and pro-active risk management reporting to highly regulated organisations which include those in financial services, healthcare and government as well where robust controls and the ability to evidence ongoing compliance, as you said earlier not just annually but on an ongoing basis are absolutely fundamental too, if you use Garnter terms, to the digital infrastructure operating model.

Within those environments the security of the platform itself is just important as the insight itself it provides though isn’t it?

Guest KJ 19:18                  Absolutely and you know we could we deploy the appliance and that’s it you’re done but that’s obviously not the case, the appliance is only as useful as the insights it can give and if we’re looking at customers you know where we’re looking at the problems that they have and we’re identifying security issues but our appliance was not getting the security fixes that it needed then yeah it would be significantly less useful than it is. So on that note you know we have been pushing out these updates every week but if you can’t get those updates what do you do? If you can’t allow your appliance to connect to the Internet you’ve got problems potentially but thankfully we’ve got a couple of options for those higher security airgap type environments and also larger environments where there might be a desire to use something like a central repository that you can expose that to the Internet that will pull your updates down, it’s still sort of way to VMware update manager download service or Microsoft W source does so you don’t have to then expose the Runecast appliance to the Internet you just pulled all of the knowledge definitions from that central repository.

For those customers who even that is too much exposure to the Internet we also provide a fully offline capability so you can go to our powerful from your management workstation or whatever you can log in there and you can just download the appliance updates. Now bear in mind these are these are coming out once a week sometimes more than once a week where there’s things like so for example we had a VMware security advisory published yesterday I think it was so we have a knowledge definition going out today with that detail in there so you can download that you can sheep dip the download that you downloaded it’s just a binary file it’s very very small so you can antivirus scan you can pull it to pieces in a hex editor if that’s what you really want to and then once you’re happy with the security of that you take that payload and you can apply it out of band to the appliance.

Now obviously I can’t talk too much about specific customers because especially those kind of customers it’s going to get me into a lot of trouble but I can confirm that we have some customers in some very very interesting situations in terms of updates and Runecast is the only option for them to do these in these situations.

Guest RG 21:31                That’s fantastic and I personally Kev, I don’t think I realised that you were turning around those security update validations as quickly as that, I mean it it’s almost an antivirus pace. So you got your antivirus you invest in that but to have that same capability for configuration guidelines, best practise changes and more importantly information security or critical information security knowledge base articles, that’s just amazing.

Guest KJ 22:00                 I didn’t actually realise how often knowledge base articles were updated until I saw what we see from our AI that’s kind of monitoring all these sources it’s a lot more rapid than I previously thought and I used to work at VMware so I have some insight into how that kind of worked, it’s amazing.

Guest RG 22:18                I guess it’s no use VMware keeping on top of their configurations and providing the updates rapidly if the customers don’t realise that they’re there and more importantly don’t then act upon them either.

Guest KJ 22:29                  This is the thing, nobody ever looks at the knowledge base until they’ve got something that’s broken and this was the one problem that Runecast Analyzer was originally built to solve. We’re going to scan, we’re going to make sure that all of those risks in your environment are being scanned against the knowledge base so that we can tell you about them make you aware of them so you can remediate those issues before you have these purple screens of death, before you have these security vulnerabilities so we get a lot of really really good feedback the fact that we’re now pushing out these updates every week we get a lot of good feedback on that as well.

Host 23:09          That’s brilliant, having something that’s learning day to day on the industry that you work on is just, I mean it’s insanity isn’t it. So earlier on I asked is adopting the hybrid cloud the end of the journey and i guess the short answer is no, reaching the hybrid cloud is like reaching the next level. By adopting a solution such as running workloads on-premises and in the VMware cloud software-defined-data-centre or by moving to VMware Cloud on AWS, you’ve powered up and have a much stronger toolset than before, but the story  keeps going and you have to keep nurturing your investment to ensure that you’re getting the most out of it and reaching your goals.

Monitoring your investment and getting solid insights lets you know the best places and ways to feed and water it which helps you reach strategic targets significantly faster. The Runecast Analyzer tool gives you the ability to see all of these wins and stay as risk free as you see fit and compliant to keep you playing by the rules. Of course, once you’ve identified what you need to do and improve or if you found some chinks in your armour Xtravirt are on hand as a trusted guide to help you to the next level.

Adopting the hybrid cloud can be a big step for your business and there are potential pitfalls but by using the right tools and with the right help you can avoid them without even breaking a sweat.

Host 24:23          I thank you so much it’s been an absolute pleasure. Kev if anyone wanted to speak to you or learn more about Runecast how would they go about doing that?

Guest KJ 24:32                 To learn more about Runecast it’s really simple www.runecast.com you can sign up for a free trial there. There’s a whole contact us page there’s some case studies there’s a free online demo if you just want to go to the demo and see what the interface looks like demo.runecast.com but if you want to get hold of me you can get me on twitter @Kev_Johnson or you can email me if you really want to but believe me Twitter is the best way to get hold of me but my email is kevj@runecast.com.

Host       Robin how about you, have you got any closing statements for us?

Guest RG 24:05                yes so I think this is one area that loads of organisations think that they are doing operational management well and I suspect a good number of them would be quite surprised at the results of a Runecast scan or an Xtravirt health check.  If you’re interested in Xtravirt managed services then you can go to Xtravirt.com/XMS,  best way to get to me is LinkedIn so Robin Gardner Xtravirt, then I’ll come up and am really quick to respond there.

Host 25:40          if you’d like to find out more about cloud insiders you can find us on Twitter @cloudinsiders and you get hold of us on team@cloudinsiders.com and you can get hold of our episodes on cloud insiders.fm or you can go to iTunes, Spotify, iHeartRadio, Google podcast anywhere that you get your podcast really, and we’ve got all the episodes up on YouTube.

Thank you so much it’s been an absolute pleasure talking to you and it’s been hugely insightful.


Author picture

Robin Gardner

Sales & Strategic Services Director

Author picture
Kev Johnson
Systems Engineer, Runecast

and your host

Author picture

Stuart Robinson

Digital & Creative Manager

Get it first

Sign up to the Cloud Insiders newsletter and get all new episodes before anyone else