Hybrid cloud environments give companies the best of both worlds. They offer the elasticity and operational expenditure of public clouds with the data sovereignty, security and control found in a private cloud environment. By combining the two, companies can allocate workloads to the environment that makes the most sense for them.
As organizations build these environments, hybrid cloud security is crucial. According to Cybersecurity Insiders’ “2018 Cloud Security Report”, nine out of 10 cybersecurity professionals say they are concerned about cloud security. This is up 11 points from last year’s survey.
Securing these environments can be time consuming, but luckily, you don’t have to start from scratch. Adhering to these seven key pillars for a hybrid cloud security strategy will make sure you get great results with less stress.
1. Approach hybrid cloud security as a shared responsibility.
Companies should approach hybrid cloud security as a joint endeavor with their cloud service provider. Assuming the cloud partner will take care of everything once the data leaves the on-premises systems is a recipe for oversights and errors. Even with the best-equipped hybrid cloud provider out there, maintaining security still requires a proactive mindset.
For example, administrative staff could accidentally expose sensitive records through a simple misconfiguration of a public cloud environment. According to GCN, misconfigured data buckets left the voter information of hundreds of thousands of individuals exposed in 2018.
Without proper security efforts, one misstep can jeopardize a company’s reputation and consumer trust.
2. Standardize processes.
Companies that use different processes for public and private cloud environments, or that fail to implement processes, risk introducing disparities that could lead to manual errors and potential security loopholes. These processes will likely be unique to an organization’s needs, but some general best practices apply.
For example, an organization could ensure that administrators follow the same security procedures in a public cloud environment as they do with on-premises systems and check that public cloud assets are properly password protected. For example, developers may leave database administrative accounts with default settings in an on-premises development environment, but forget to change the credential settings when they take the databases live in the cloud. This oversight can lead to some serious data breaches.
Formalizing processes to manage assets, such as databases, as they pass between on-premises and cloud-based environments will help organizations avoid problems like the large-scale exposure of sensitive customer records in cloud-based systems.
3. Configure secure tools and processes for the cloud.
Companies can reduce the likelihood of human error and inconsistent administrative approaches by codifying these secure processes into automated workflows. In the case of software development and deployment, a common use case in hybrid cloud environments, secure DevOps (DevSecOps) practices can be a game changer.
Secure DevOps enables security professionals to build automatic gating checks into software development, forcing code through a series of tests that it must pass before being deployed. Automated tools can also securely manage the provisioning and teardown of virtual development and deployment infrastructure so that stray virtual machines and storage buckets don’t become a security liability.
4. Verify everything everywhere.
Hybrid cloud computing environments tend to blast through traditional network perimeters, as companies distribute workloads across different infrastructures and locations. This means conventional, perimeter-based protections no longer work. Instead, protect access to each virtual asset and data resource. Adopt a “never trust, always verify” approach to all computing resources across both infrastructures.
5. Manage access across hybrid environments.
A uniform identity and access management (IAM) framework can help protect assets in hybrid environments. Security teams might use various approaches to extend IAM across the entire environment, depending on their public and private infrastructures, including unified directories and SAML-based identity federations.
Ensure that this framework mirrors the concept of least-privilege access across both private and public clouds so that employees, contractors and other users only have access to the resources they absolutely need.
6. Ensure visibility and ownership.
One danger in dealing with two different environments is that it can be difficult to get a comprehensive view of what’s happening across the entire infrastructure. Explore using a management system that can aggregate monitoring and asset management across both private and public clouds.
Ideally, administrators should be able to see both from a single dashboard. Security teams should also ensure that all assets and data across both environments have defined ownership. An individual or team should be responsible for them so that nothing falls through the cracks.
7. Protect data.
Data protection includes not only encryption, which should be standard in any hybrid IT environment, but also other techniques as well. These might be pseudo-normalization or tokens stored in public cloud databases that refer to sensitive data stored in on-premises systems.
Before beginning your organization’s hybrid cloud journey, think carefully about your long-term approach and what you will expect from your hybrid cloud environment in the years to come. By considering these seven pillars of hybrid cloud security, you can help your organization transition smoothly between on-premises and cloud environments.
Learn more by signing up to receive The IT leaders guide to the next generation cloud operating model, where you can learn how to perfect your journey to cloud.