As hybrid cloud infrastructures mature, so do the collective lessons learned from these implementations.
As always, we prefer learning from others rather than from our own mistakes – perhaps especially when it comes to security. So we polled a range of IT and security pros on the new and emerging security lessons becoming evident as hybrid cloud infrastructures grow up. Read on for their collected wisdom.
Everything old is new again...
Human fallibility is the ultimate security vulnerability: It’s still true in the hybrid cloud age. In hybrid cloud architectures, security risks and incidents, even those with an inherently technical root cause, can commonly be attributed to good old-fashioned people.
“The unique risks [of hybrid cloud] really get down to very specific examples of overexposure or breaches of proprietary data or restricted data,” says Ray Johansen, solutions architect and security practice lead at ShoreGroup. “It always points back to a lack of visibility or oversight.”
[ Are you ready to discuss cloud security concerns? Get our concise guide and learn from the experts: Hybrid cloud security: 5 questions skeptics will ask. ]
He shares an example of a customer that had inadvertently exposed its customer list, for example. Even though the list didn’t ultimately include sensitive data, it was still embarrassing for the company. And it boiled down to a lack of human oversight and intervention.
“While there was a technical failure of the overexposure, the real failure came from a lack of clear policy on what is legitimate data that can go out to cloud services, and, more importantly, what are the organization’s policies on what are approved or validated service providers,” Johansen says.
Without those policies and corresponding oversight, your people aren’t nearly as likely to understand the data with which they’re working – and ultimately responsible for protecting.
In fact, what we’ve mythologized as “shadow IT” – the provisioning and use of various cloud services without IT’s knowledge or oversight – is really just a trendy way of saying that an organization lacks the policies and processes necessary to limit people from their natural capacity for making mistakes, he says.
“We hear the term ‘shadow IT’ all the time, but all that is is a failure of the organization to state to different parts of the team that these are the services that we are going to consume and these are the services that we’re not going to consume,” Johansen says.
...Except for your old tooling: That’s just old
“Economics of business are requiring enterprises to turn to hybrid environments for the agility and operational efficiency necessary to compete. But often enterprises rely on old, outdated tools or separate, isolated solutions for the security of data in each individual environment,” says Mike O'Malley, vice president of carrier strategy and business development at Radware. “Transitioning to a hybrid environment requires an investment in configurations and solutions that are specifically built to secure hybrid cloud and manage new data security challenges across multiple environments.”
Automation is key, argues O’Malley, and he’s not alone. That’s because modernizing and automating security processes proves key to limiting those pesky human errors.
“Automation and orchestration are important because you remove the human element,” says Michael Colonno, senior solutions architect at Computer Design & Integration. “All important and repeatable steps to accomplish security are automatically set at the provisioning of workloads.”
Colonno notes multiple examples of companies or government agencies “forgetting” to encrypt data in a public cloud storage bucket, for example; that’s fundamentally a human mistake, and one that can be automated into obsolescence.
Every environment demands some attention
A move from a single, homogenous infrastructure to an architecture that spans private cloud, public cloud, and traditional on-premises or datacenter environments can deliver greater agility, scalability, and other benefits. But it also means your threat surface is now distributed. That’s reality, not an excuse.
“Organizations that are doing it right have taken stock of all the environments they are running in, so they have a full inventory of what needs protection,” says Tim Prendergast, CEO and co-founder of Evident.io. “They are building out a culture of security across the whole organization and putting an emphasis on protecting data, no matter where it lives.”
The general strategy here is to ensure proper visibility and ownership. You can divvy up the responsibilities as you see fit, but every environment needs a security champion.
Prendergast shares an example from a forward-thinking client: “One of our customers utilizes centers of excellence for various clouds so that those who are starting to work in those environments know who they can turn to for guidance and best practices.”