Understanding hybrid cloud security across your enterprise

Hybrid cloud security is vital as enterprises continue to develop their hybrid cloud services, since more sensitive information has the potential to become exposed. Discover how enterprises are approaching their hybrid cloud security protocols as their hybrid clouds develop and expand.

Is perimeter security enough today?

Businesses continue to embrace the power and flexibility of the hybrid cloud. Ensuring these networks are secure is paramount. Used to securing siloed data, and managing secure logins for applications, CTOs and their teams have had to embrace a brave new world. In this new security environment, sensitive information can be outside of their enterprise’s firewalls. Here, a robust hybrid cloud security policy is critical.

In a hybrid cloud security environment, there are particular threats that CIOs and CTOs must be aware of: The hybrid cloud doesn’t necessarily bring with it a new set of security issues to mitigate and defend against.

Data breaches, ransomware, phishing attacks and BEC scams are a present danger to traditional networks. Moving to a cloud environment may potentially amplify the attacks. It is, however, a mistake to think that the hybrid cloud necessarily brings new and unique threats. Security should be treated as all-encompassing no matter what kind of cloud services are in use.

Also, enterprises often believe that once a hybrid cloud is set-up, the responsibility for the hybrid cloud security shifts to the vendor or service provider.

Research in the report ‘Cloud and hybrid environments: The state of security’ from Algosec concluded, 58% of respondents use the cloud provider’s native security controls to secure their cloud deployments.

With 44% saying they also use third-party firewalls deployed in their cloud environment. These environments were specifically Cisco Adaptive Security Virtual Appliance, Palo Alto Networks VM Series, Check Point vSEC, Fortinet FortiGate-VM and Juniper vSRX). This created a mixed estate of traditional and virtualized firewalls, and cloud security controls.

The reality is that a close partnership must be developed to ensure network-wide security is maintained. Often, this will mean a symbiotic relationship developing that ensures your business understands which components of the hybrid cloud security you must maintain.

Justin Dolly, Chief Security Officer and Chief Operating Officer at SecureAuth told Silicon: “Companies need to ensure they completely understand any end-user license agreements, master services agreements (MSA) or other legal contracts that can be maintained with the cloud services vendor. While it’s difficult to absolutely ensure that the cloud services company will maintain proper security controls (or will not share, sell, or mine the data), legal contracts must have language that ensures the data is protected to the same level or better than the client company would. There should also be legal (monetary) implications should the vendor not maintain this level of trust or security.”

Justin Dolly, Chief Security Officer and Chief Operating Officer at SecureAuth
Justin Dolly, Chief Security Officer and Chief Operating Officer at SecureAuth

Hybrid cloud security will always need to be multifaceted, as the components of a hybrid cloud deployment can be massively dispersed. CIOs and CTOs must ensure they have full sight of their potential threat landscape to identify any potential security weak spots.

Managing risk

One of the strongest methods of using hybrid cloud security is to use least privilege access. Here, only those workers who need access to specific areas of the network can use specific tools.

This, in turn, connects to specific datasets. Endpoint security should also be maintained. The fact that these endpoints expand in a hybrid cloud infrastructure should mean the endpoint security protocols expand accordingly.

As data is often the target of malicious attacks. In, a hybrid cloud environment full data encryption should always take place as data moves between the public and private components of the cloud. And full data backup should be included in your security policy, as cyberattacks can result in losses of data that will need to be recovered.

The State of Securing Cloud Workload from last year discovered 75% of respondents expect to see an increase in the number of security tools they rely on in the next year, while over half say they still manually configure security policies.

451 Research senior analyst Fernando Montenegro wrote: “The pace of innovation in cloud-native environments places a significant burden on traditional security practices. Not only is there a need to support new technology options – quickly moving from traditional virtual machines to containers, serverless, and newer constructs such as service mesh – but there is also a difference in how security and DevOps teams consider their needs and workflows.”

Speaking to Silicon, Brian Foster, Senior Vice President Product Management at MobileIron said:

“Moving to a hybrid cloud environment will require an entirely new security mindset. In order to protect against this added threat, organisations will increasingly be forced to adopt a zero-trust model that seeks to scrutinise every single possible point of access. Zero-trust applies a ‘never trust, always verify’ approach to every entity associated with an organisations network, as well as seeking to verify the context, before granting secure access to the network. This ultimately gives organisations the visibility, control and protection required to successfully secure a hybrid cloud environment.”

Brian Foster, Senior Vice President Product Management at MobileIron
Brian Foster, Senior Vice President Product Management at MobileIron.

This change of mindset will ensure that each component of the hybrid cloud your business has or is about to deploy, will have security as a foundation. Looking closely at use cases to develop a security regime that meets the needs of users without being burdensome should be your overall goal.

Hybrid threat surfaces

The lack of visibility of the entire hybrid cloud network is often pointed to by CIOs and CTOs as a major cause of their hybrid cloud security concerns. The expansion of network access points, which are often off-premises, as enterprises embrace more flexible working structures, have raised the potential security threat level.

Another major security issue for CTOs, in particular, is that they will in many instances buy several hybrid cloud security products from different vendors. As they build their hybrid clouds each vendor’s specific hybrid cloud security applications have to be supported, maintained and integrated with any others that are already in place. This potential fragmentation of the hybrid cloud security protocols can reduce the overall resilience of the hybrid cloud network as a whole.

Firemon in their report ‘The State of Hybrid Security 2019’ revealed 60% of respondents stated that deployment of their business services in the cloud has accelerated past their ability to adequately secure them in a timely manner. The survey data suggest a rising trend of enterprises inadvertently introducing complexity into their environments by deploying multiple, disparate solutions on-premises as well as across multiple private and public clouds.

The complexity that hybrid cloud brings to a business or organisations has meant a steady adoption of more automation across the hybrid cloud security touchpoints. “We’re seeing an increase in demand from CIOs who want to use automated systems to manage their hybrid cloud storage deployments,” said François Amigorena CEO and Founder of IS Decisions.

“This is particularly evident when it comes to data protection. CIOs want technology that can proactively track, audit and report on all access to files and folders — no matter if that access was on on-premises storage or third-party cloud storage like Dropbox for Business, Google Drive, or Box.”

François Amigorena CEO and Founder of IS Decisions
François Amigorena CEO and Founder of IS Decisions.

Aatish Pattni, Director of Security Solutions, EMEA, CenturyLink also commented:

As organisations continue to embrace hybrid cloud, strategies and solutions within this space will also evolve rapidly. At CenturyLink, we are seeing several interesting developments 1) traditional security technologies continuing to automatically extend to cloud infrastructure automation and SDN integration 2) new security offerings embedded into both the application and data layers independent of the underlying cloud or premise infrastructure 3) services focussed on automatic policy governance that are natively integrated into both cloud and network infrastructures and 4) protection capabilities that directly integrate with leading SaaS applications to prevent data loss, malware propagation and account take over.”

Lock and key

The approach your business takes to security when developing and deploying a hybrid cloud network will be specific to your precise needs. IDC found that 80% of the 400 IT decision-makers they interviewed were moving some data and applications away from the public cloud to mitigate security threats.

And these risks continue to be real, as the ‘Cloud Adoption and Risk Report 2019’ from McAfee concluded: “Security incidents are no longer isolated to PCs and applications on the network, owed primarily to the scale of corporate data stored in the cloud today as well as the sheer number of events taking place in the cloud.

The average enterprise organization experiences 31.3 cloud-related security threats each month, a 27.7% increase over the same period last year. Broken down by category, these include insider threats (both accidental and malicious), privileged user threats, and threats arising from potentially compromised accounts.”

What does a hybrid cloud security policy look like?

“In a hybrid cloud environment, the transference of risk becomes even more challenging as differences in provider APIs could easily introduce misconfiguration which is hard to identify,” said Tim Mackey is a principal security strategist within the Synopsys CyRC (Cybersecurity Research Center). “It is precisely the combination of cloud perimeters, ownership of risk, and configuration which defines the overall security perimeter for an organization. Given the goal of reduction of business risk is a key function within CIO/CFO/CISO roles, understanding the impact of privacy, data retention, data sovereignty, and security policies become.”

Tim Mackey is a principal security strategist within the Synopsys CyRC
Tim Mackey is a principal security strategist within the Synopsys CyRC.

In essence, your security policy must be multifaceted to combat and mitigate the threats that your business’s hybrid cloud deployment faces. Your policy should include action when accounts are compromised by a third-party. Insider threats whether innocent mistakes or malicious attacks. And privileged user threats ranging from an administrator accessing data in an executive’s account to modifying security settings in a way that unintentionally weakens security.

Silicon in Focus

Liviu Arsene, Senior E-Threat Analyst, Bitdefender.

Liviu Arsene - Understanding hybrid cloud security
Liviu Arsene, Senior E-Threat Analyst, Bitdefender.

Liviu Arsene has been closely working and interfacing with cross-company development teams, as his past Product Manager role involved understanding Bitdefender’s technology stack. Reporting on global trends and developments in computer security, he’s focusing on malware outbreaks and security incidents while coordinating with technical and research departments.

What are the key challenges when deploying hybrid cloud security?

Some of the biggest challenges with hybrid cloud security deployment revolve around:

  • Visibility and control
  • Compliance
  • Data security
  • Supply chain security

For example, visibility and control can be difficult to achieve when you’re using a mix of public clouds along with your internal cloud. Administrators will find it difficult to secure and manage environments scattered across various infrastructures if they don’t have the right security tools that can automatically find and secure those environments while offering single-pane-of-glass visibility across the entire infrastructure.

Compliance is also challenging as stored data usually falls under the legal jurisdiction of the state or country it’s being stored. Consequently, knowing exactly what that data is and where it’s being stored can help build compliance, while failure to do that may incur strict penalties.

Of course, securing data both in transit and at rest is also something vital within hybrid infrastructures, as data flowing between private and public clouds may be subject to eavesdropping or tampering.

Lastly, constantly evaluating the used software or performing security audits in suppliers can help organisations avoid or even identify supply chain attacks that leverage third-party access.

What are the current pressure points CIOs are feeling around hybrid cloud security?

Some of the biggest pain points for CIOs when it comes to security aspects of their hybrid clouds revolve around multi-cloud environment visibility and the use of different toolsets, nomenclature and taxonomies.

For example, organisations that use more than one public cloud provider will have a hard time getting a full picture of how their overall cloud environment is operating or how it is secured.

The use of different standards for and tools for each public cloud provider doesn’t help the process either, as it sometimes involves having a dedicated staff that knows how to operate them, which in turn means increased operational costs. Also, if one blunder should happen in multi-cloud infrastructures, without proper visibility it increases the time associated to identifying and fixing it.

How are CIOs developing hybrid cloud security environments for their DevOps?

Securing hybrid infrastructures for DevOps is all about having the right strategies, policies, processes, and technologies in place to make sure that DevOps run their operations without having productivity and efficiency crippled by strict security.

One way of going about this is to make sure that security integrates – without affecting performance – with your existing DevOps tools and environments, such as containerisation and orchestration tools, that span across your hybrid infrastructure.

Of course, it’s best to both consider baking in security into development processes via APIs in order to improve development cycles and also consider security either for containers or at the sources via the underlying hypervisor-enabled infrastructure that makes virtualisation possible.

How has GDPR impacted on hybrid cloud security?

Some of the biggest challenges brought forward by GDPR on hybrid cloud infrastructures revolve around understanding the cloud architecture and technologies provided by the cloud service provider.

This level of understanding ensures privacy by design, what types of metadata is collected by the cloud provider and how it’s being used. Also, these insights assess to what extent the cloud provider is able to comply with your IT security requirements in order to ensure that it’s taking privacy measures in line with your own.

Basically, what GDPR has done is make companies have a better overview of their data lineage and accountability, regardless of where that data is stored.

How has the security perimeter shifted as businesses expand their use of the hybrid cloud?

The security perimeter has naturally extended as businesses have expanded their use of hybrid cloud, especially regarding perimeter control and visibility.

If on-premise was somewhat easy to manage in the sense that perimeter control could have been tightly locked down and regulated if needed, the hybrid model places more focus on securing in-transit and at-rest data, more granular control over access and authentication, and more visibility and security in terms of managing workloads. The hybrid cloud perimeter is now a matter of logical security, rather than physical.

Are CIOs using more automated security systems to manage their hybrid cloud deployments?

Automation for hybrid cloud security is becoming increasingly popular and more necessary, as IT and security staff are both overburdened and overworked. Security automation is also fuelled by the current skill gap and security workforce shortage, which pushes organisations and CIOs to address the gap with technologies designed to alleviate some of that pressure.

An added benefit of automated security systems is that it can also reduce operational costs usually associated with staff, while allowing current IT and security teams to focus more on the strategic impact of deploying new security technologies and increasing the overall cybersecurity resilience of the organisation to attacks, rather than having them constantly put out fires.

How do you expect hybrid cloud security to evolve?

Security is constantly evolving to both counter the ever-increasing number and complexity of threats, and to accommodate new technologies that streamline operational efficiency.

Regardless of what type of infrastructure organisations have – on-premise, cloud, or hybrid – security needs to become an enabler for maximising the efficiency of those infrastructures and not an inhibitor.

A capable security solution must:

  • Automatically identify the type of workload you’re trying to secure.
  • Where it’s located within your infrastructure.
  • Offer a complete and single-pane-of-view visibility across the infrastructure regarding the organisation’s security status.

The right security solution for hybrid environments needs to factor in performance, automation, and simplified management without sacrificing or compromising on any aspect of security.