As growing numbers of enterprises adopt public or private cloud models, some IT leaders are already combining these solutions. Our cloud security survey shows that 64% of organizations currently operate a hybrid cloud model.
A hybrid model provides the benefits of choice and flexibility, allowing decision-makers to keep data in the most suitable environment for that data, be it from a computing or security perspective. However, concerns remain about data protection, security and compliance. How can IT leaders secure their hybrid cloud environments?
After the rush to cloud, most businesses view the hybrid route as the most pragmatic solution to meeting their business needs and securing valuable corporate data in the face of growing cloud breach risks.
However, this approach adds some complexity while delivering those benefits across supply chain, marketing, operations and other business areas. Recent IBM/Forrester research highlights that “One of the key findings is the continued importance of on-premises infrastructure, with 85% of IT decision-makers agreeing it is a critical part of their hybrid cloud strategy.”
The same research shows that 89% of IT decision-makers also “believe a hybrid cloud environment can both easily and securely store and move data and workloads, providing a secure and flexible strategy for today and tomorrow.”
They recommend adopting a hybrid cloud infrastructure strategy, while maintaining on-premises as part of a hybrid strategy for the foreseeable future. The key to success is managing a mix of public cloud, private cloud and on-premises as a holistic whole and maintaining on-premises viability through regular infrastructure refreshes.
Having backed the right horse in hybrid cloud, with typical examples mixing OpenStack and Amazon AWS, there are issues around hybrid clouds that must be managed as the provided services and data collide with reality. Hectic workplaces, hypergrowth of data among teams, the human factor and the risk of failing to understand who’s responsible for what across increasingly complex cloud footprints all create risk.
What is hybrid cloud security?
In theory, a hybrid cloud computing environment represents the best of both worlds , taking elements from both private and public cloud platforms. Organizations should enjoy the flexibility of being able to move between local private clouds and third-party public cloud services as and when needs and costs determine it necessary.
Hybrid cloud security is essential to ensure that data is protected wherever it’s stored and that applications and infrastructure facilitate this. Businesses shouldn’t blindly assume their cloud provider has robust security in place, as the responsibility for data lies with them. When you scrutinize the hybrid cloud use cases , it becomes abundantly clear why this is so vital.
The components of hybrid cloud security
The challenges associated with hybrid cloud security are complex and therefore require a multifaceted approach. No single technology can keep your data safe in this environment, so solutions must be set up to work alongside each other.
Components to put in place include: verifying identities to gain access, scanning for vulnerabilities, visibility of traffic to your cloud, microsegmentation to prevent hackers from moving laterally through the cloud, workload security and the management of misconfigurations.
Hybrid cloud security challenges to overcome
To fully secure your data, apps and infrastructure, there are a few hybrid cloud security challenges you need to address.
1. Maintaining visibility and control
Adoption of cloud services across the hybrid cloud creates complexity fast. The business needs to know what data is where, who has ownership of it and which services access it. Applying security and compliance rules across a hybrid cloud creates a challenge for CISOs, while CIOs need to paint a realistic picture to leaders who view the cloud as a digital panacea.
Ensuring visibility creates the ability to control the hybrid cloud and plan for future expansion. Creating a hybrid cloud based on a well-designed strategy will limit the chaos, but many companies find their cloud footprint growing in an ad hoc fashion, creating risks.
If it’s too late into the cloud adoption process, then an urgent cloud audit is essential to establish which services the business uses, how they’re managed and updated and who’s responsible for configuration, security and updates.
Most cloud services come with automation tools to simplify many of these tasks, and dashboards to highlight key metrics and issues, but verification of security aspects and compliance issues must be done manually to ensure the business is in control of its services and data from an audit perspective.
2. Ensuring compliance and governance
Once the audit is done, compliance and governance procedures can be assigned across the business to protect it from breaches and ensure all applicable laws and industry regulations are being followed.
When it comes to data sovereignty, the business must ensure that data doesn’t end up on foreign-based cloud servers unless they take appropriate safeguards. Where data is at risk or data standards are insufficient compared to the home country, severe penalties under GDPR rules or other schemes could be enforced.
Done manually, the combined compliance and governance effort is a major one, but hybrid cloud management tools are available to deliver largely automated governance, visibility and compliance and help support optimization across multiple clouds that can stretch over public and private environments.
3. Delivering data security
With the business aspects of hybrid and multi-cloud assured and under constant monitoring, the CISO and IT leaders can turn to data security. Check every cloud provider service level agreement (SLA) to see where responsibility lies and what your obligations are.
Some cloud providers offer a range of security tools to protect data, access and applications, but it’s up to the business to ensure data in transit across clouds or networks is secure. Some providers expect their clients to use their own choice of security tools that integrate with services, and these need to be kept up to date.
Encryption across services and networks is essential with trusted platform modules or other methods and on-device encryption to ensure that data can’t be accessed even if it’s intercepted in some way.
4. Mitigating human error
With the best hybrid cloud infrastructure and strongest security, there’s still the human element to be considered. People can make mistakes, internal actors could have malicious intent or users can perform actions they think help the business without authorization to do so.
Among the most challenging of these is shadow IT, where users start using cloud services on their own initiative which can create compliance risks, duplication of data and unmanaged use of services.
Training from on-boarding through to regular refreshers is essential to remind all workers of the risks of the actions, teaching them how to spot hybrid cloud security risks and ensuring colleagues are performing their work safely can all be imparted to build knowledge and reduce the risk of individual errors threatening the business.
As cloud adoption expands, and businesses integrate their data with a wider number of providers, the cloud environment will only get more complex. The earlier a business takes full control of the current systems and plans for expansion, the less risk there is of breaches and problems across the environment.
5. Data leakage
When it comes to data security, the responsibility lies with the owner of the data, meaning you as a business need to protect against any leakage. This can occur in a variety of ways, including corruption, destruction, improper access or legitimate loss, and it’s up to you to have plans in place to cover all of them.
Operating in a hybrid environment increases the risk and represents the opportunity for a secure private cloud to be shared to the public cloud. This can occur for two reasons, the first being an accident or oversight, while the second - with malicious intent - is also a concern.
Look carefully at the security protocols and practices put in place by your chosen cloud provider. Be on alert for any red flags that suggest they’re not being followed and make sure they’re being implemented for both on-premise data and that in the public cloud.
6. Insecure data transmission
The nature of data flows between the public cloud and the private cloud makes them vulnerable to eavesdropping or cyberattacks. The best defense against these breaches is robust encryption, whether or not they’ll be exfiltrated at a later stage.
IT managers can feel reassured when access to data is robustly controlled and encryption keys are ironclad. Utilizing hardware security modules and other cryptographic tools facilitate keeping data safe. If there were to be breaches during any transfer, then the repercussions would be less far-reaching, as hackers wouldn’t be able to decipher the information.
7. Supply chain risks
Large organizations are required to partner up with other businesses in order to achieve results. One such instance is your supply chain, which may well include smaller companies than your own that are vulnerable to security risks.
While you’re entirely in control of your own security team and can provide it with a large number of resources, visibility over the practices of those in your supply chain will be limited. This represents an opportunity for hackers, who can exploit vulnerabilities in the supply chain to target bigger organizations.
You must interrogate your partners’ protocols and test their practices in order to protect yourself. Ignorance is not an effective defense and the reputational damage as well as monetary losses at stake should not be underestimated.
10 hybrid cloud security best practices
Don’t overlook any potential threats to your hybrid cloud security, as just one vulnerability is all it takes. Follow these top ten best practices to be safe:
- Apply the principles of interoperability from the beginning of your rollout. That means the new platform will be able to communicate with legacy technology more easily than attempting to add this functionality later.
- Improve efficiency and remove the scope for human error by automating processes that occur on a regular basis. These may include creating logs and processing everyday security data.
- Regularly audit your environment to ensure there have been no breaches. Failing to do so can lead to a huge delay in remedial action should it be required.
- Apply least privilege access controls to your users, apps or devices, giving employees only the permissions they need to perform their roles and no more.
- Use the zero-trust principle to all new local servers, meaning they shouldn’t be allowed to join the hybrid infrastructure until they’ve been fully vetted.
- Standardize your security protocols across every cloud in the network to remove any ambiguity about what’s expected and required.
- Coordinate your encryption processes across every cloud in your network, so there’s never a chance of hackers finding a chink in your armor.
- Strengthen your endpoint security with microsegmentation, firewalls, and antivirus measures.
- Backup all data so it’s recoverable and keep it separate from the original so it can’t be compromised in the same way.
- Decide which assets are business-critical in conjunction with company stakeholders and discuss the potential threats against them to be best prepared to keep them safe.
Further Reading
Access the latest business knowledge in IT
Get Access
Comments
Join the conversation...