Hybrid Cloud Security: Challenges and Benefits
Published: April 17, 2019
Hybrid cloud security: It's complex but doable.
No assessment of your IT compute and storage strategy would be completed without evaluating the pros and cons of hybrid clouds. Combining the customizability and administrative control of private clouds with the convenience and scalability of public clouds, hybrids offer the best of both worlds.
As with public and private cloud models, running a hybrid environment raises important security questions. And because hybrid clouds can get pretty complex, addressing security issues is anything but easy. It requires having a firm understanding of all the components in the environment and how each of them is secured, as well as figuring out how to bring some level of uniformity to the entire infrastructure.
Perhaps most importantly, securing the hybrid cloud requires an understanding of risk so the organization can manage it properly. Companies need an application management strategy that takes into consideration which data and application requires what level of security – the more sensitive the data, the tighter the security controls.
Address the Basics
A hybrid cloud makes it possible to share data and applications between public and private clouds, allowing organizations to scale their infrastructure as demand fluctuates. You can dial capacity up or down as needed without making significant capital investments in the on premise infrastructure.
The biggest obstacles to successfully running a hybrid cloud environment are management and security. These two factors go hand in hand because if one doesn’t work properly, neither will the other. And this means visibility and monitoring are absolutely critical to securely running a hybrid cloud environment. You can’t manage or secure what you don’t see.
Visibility is critical of course, but don’t ignore the basics. All of the security “must haves” need to be in place to protect the hybrid environment, including well-defined data access policies, preferably with multifactor authentication and least privilege rules. Other controls such as encryption for data transfers, content filters, endpoint protection and patch management also need to be in place.
Remember that a lot of security threats aren’t specific to one cloud or the other, be it public or private. Credential theft, malware and Denial of Service attacks are a risk to any IT environment, and therefore should be addressed uniformly across the entire infrastructure.
One of the sad but true realities of running IT environments at a time when cybercrime is becoming a $2 trillion industry is that no IT environment is 100 percent secure. No matter how diligent a company is in implementing all the necessary security solutions, best practices and policies to protect their data, there’s always a possibility that a breach can occur in some part of the infrastructure.
Threats evolve constantly as hackers identify new vulnerabilities and refine their methods to target victims through phishing, social engineering and other methods. This is a big reason why more and more organizations are taking a risk management approach to security, much as they do with other business risks.
Risk-based cybersecurity requires a comprehensive assessment of threats facing an organization in order to develop a robust security posture. Visibility plays a key role here as well. You need to monitor all movement in, out of, and within your environment. A 360-degree view into the environment and round-the-clock monitoring allows you to respond swiftly and decisively to threats and anomalies. Without visibility, you’re at a serious disadvantage, potentially making it easier for cybercriminals to target your organization.
As part of risk governance, access to sensitive data such as personnel records and trade secrets should be restricted to only the users who need it for their jobs, whether the data resides in a public or private cloud . Even those with privileged access must be subject to programmatic and continuous monitoring. Companies sometimes are too liberal with user privileges or fail to revoke access to sensitive data for users who move on to other jobs, creating added risk.
Accept Shared Responsibility
Securing a public cloud is a shared responsibility between an organization and its cloud providers. You not only have to do your part in securing the environment but also make sure the providers are doing theirs. You need assurances they have adequate security controls for the data you are trusting to the cloud, and that providers are updating their technologies as needed to keep up with the latest threats.
Remember that there’s never a finish line with cloud security because data handling requirements are dynamic and threats are always evolving. Periodically reassessing your business objectives will inform your future decisions about which cloud approach is best – public, private or hybrid. And, regularly quantifying your security posture enables you to better determine if you have the appropriate controls in place for your hybrid cloud environment.
Click here for more information on how we can help you build a cloud security strategy.