Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization. And a hybrid cloud environment comes with its own particular set of security considerations.
“Hybrid cloud environments are dynamic and complex, further complicated by multiple end-users accessing multiple environments from multiple locations,” says Christopher Steffen, CISSP, CISA. Steffen is technical director at Cyxtera, which recently acquired security firm Cryptzone, Steffen’s previous employer.
We asked Steffen and other security experts to discuss the key things CIOs and their teams must keep in mind when securing their hybrid cloud environments. Here are eight items to prioritize:
1. Ensure you have complete visibility.
Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.
Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.
2. Every asset needs an owner.
If you lack 360-degree visibility, you probably lack ownership. Every piece of your hybrid cloud architecture needs an owner.
“A key tenet in IT security is having an owner identified for every asset, and having the owner responsible for least privilege and segregation of duties over the asset,” Goerlich says. “Lack of visibility results in a lack of ownership. This means, quite often, hybrid cloud environments have loosely defined access controls and often are without segregation of duties. Excessive permissions introduce risk, and unowned risk is unaddressed risk.”
3. Hybrid cloud? Try hybrid security.
As IT has increasingly become a driver of overall business strategy rather than mere service organization, the hybrid cloud model has grown as an enabler of that shift. In similar fashion, modern IT requires rethinking some old security paradigms – hybrid security, if you will.
“Strategies around security continue to evolve, and many companies are adopting a hybrid approach to build more layers and depth to their security infrastructure,” says Biscom CEO Bill Ho. Some of your security technologies might reside on-premises, while others now make more sense to run outside of the corporate network.
“There are good reasons to have certain security tools and applications on-premises – such as desktop antivirus, DLP, firewalls, as well as IDS/IPS systems,” Ho explains. “Some of these are available as cloud services, and some have components that are in the cloud while an appliance or application runs on-premises. Some services are best handled in the cloud, outside your network such as services that help mitigate DDOS attacks.”
4. Security and compliance: Connected but not the same.
A fellow security pro once shared this axiom with Steffen: “You can have security without compliance, but you will never have compliance without security.”
Don’t confuse the two as synonymous, especially if your organization is just now migrating to a hybrid cloud model. Treat compliance as an important but discrete part of your cloud security strategy.
The good news, according to Steffen: “Compliance in a hybrid / multi-cloud environment doesn’t have to be a barrier to cloud adoption.” In fact, he says many of your on-premises controls can be cross-applied to your cloud environments. There is, of course, a “but:”
“It is critical to understand the existing controls used by the cloud provider, and how they mesh with your company’s existing controls,” Steffen adds. “It could be that [your] company will need to make minor procedural changes to adhere to the controls used by the cloud provider. But it could also mean a fundamental shift in the company’s [previous] security strategy. Conducting a compliance controls evaluation before selecting a cloud provider or security vendor is a must.”
5. Do your tools play nicely with others?
Steffen advises asking: How does a particular cloud provider and the security tools they are using integrate with the tools your company uses? He says that many tools integrate quite well together, but if your enterprise uses a security toolset that doesn’t play well with outsiders, you could be in for headaches. Look for platforms (and tools) that play well with others: “Cloud providers and security vendors should provide simple integrations with your existing on-premises platform and tools.”
6. Do your homework on vendors.
We know – you’ve heard this one before. But as Steffen's advice on compliance and integration reminds us, securing your hybrid cloud environment does depend in large part on knowing and understanding the platforms you’re working with. (Prerequisite: See #1 on visibility.)
Ho, the Biscom CEO, says that strong cloud providers can actually deliver upside in terms of expertise that your internal IT security teams may lack. For example, they may be better-equipped to monitor for potential threats, such as a zero-day attack, in real-time. But that’s obviously not a given.
“As with any cloud service, you'll want to vet the provider,” Ho says. “Look for certifications, understand their policies and understand the risks of opening up your network to theirs, and review reports on processes, such as a SOC 2 Type II report.”
7. Scale communication for the hybrid model.
“Hybrid cloud brings scalability concerns with regards to communication,” Goerlich says. This, again, is often a byproduct of a lack of visibility and ownership, and it may be especially true in organizations that use a multi-cloud, multi-vendor strategy.
Clear communication is a significant part of a strong security posture, especially when it comes to new vulnerabilities or incidents. It’s an area that IT leaders need to adequately address, not only internally but also with vendors and other third parties.
8. Do ongoing risk assessment.
Building out a hybrid cloud environment with security top of mind from the outset is a great first step – but it remains a first step. Securing a dynamic hybrid cloud environment involves ongoing risk assessment, Goerlich says.
“Another way organizations identify vulnerabilities and security concerns is through risk assessments,” Goerlich says. He shares three examples:
- Vendor risk management, which is sort of like ongoing due diligence, can “highlight which vendors provide which services, and then inquiry into those vendors on their security program.”
- Software composition analysis can “highlight which third-party libraries in the code [might] compromise the application we built.”
- Technical vulnerability assessments and penetration testing can “bring further insight into the current security posture. This has to be done, today, in a segmented approach due to the scope and scale of the hybrid cloud technology organizations rely on.”
Keep security growing
As your hybrid cloud strategy grows, so should your security planning.
“Know what we have, know who owns it and who can access it, have clear communication channels, break it into segments, and risk assess. One thing at a time,” Goerlich says.
“We can be successful by focusing on the technologies that matter most to the organization, those that support critical business strategy and functions. As hybrid cloud scales up the technologies we consume, so too must leaders scale up the prioritization and collaboration in security.”
[ Are you ready to address cloud security concerns? Get our concise guide: Hybrid cloud security: 5 questions skeptics will ask. ]