Enterprise cloud security best practices for locking down your cloud
A comprehensive collection of articles, videos and more, hand-picked by our editors
Despite the appeal of using public cloud, some IT admins are concerned about turning over all their production
applications to a third party or losing their substantial investment in on-premises infrastructure. In such cases, a hybrid environment can capitalize on the benefits of both public and private cloud.
Hybrid cloud security issue 1: Lack of data redundancy
Public cloud providers commit significant resources to ensuring the infrastructure is available and accessible when end users need it. In spite of a cloud provider's best efforts, problems are inevitable.
Hybrid cloud is a complex system that admins have limited experience in managing -- and that creates risk.
Well-publicized outages highlight the risk of running your applications in a single data center without failover to another. Cloud architects need redundancy across data centers to mitigate the impact of an outage in a single data center. A lack of redundancy can become a serious security risk to your hybrid cloud, specifically if redundant copies of data are not distributed across data centers. It's easier to move virtual machine (VM) instances between data centers than between large data sets.
Cloud architects can implement redundancy using multiple data centers from a single provider, multiple public cloud providers or a hybrid cloud. And while you can improve business continuity with a hybrid cloud, that shouldn't be the only reason to implement this model. You could save costs and attain similar levels of risk mitigation using multiple data centers from a single cloud provider.
Hybrid cloud security issue 2: Compliance
Maintaining and demonstrating compliance can be more difficult with a hybrid cloud. Not only do you have to ensure that your public cloud provider and private cloud are in compliance, but you also must demonstrate that the means of coordination between the two clouds is compliant.
If, for example, your company works with payment card data, you may be able to demonstrate that both your internal systems and your cloud provider are compliant with the Payment Card Industry Data Security Standard (PCI DSS). With the introduction of a hybrid cloud, you have to ensure that the data moving between two clouds is protected.
Additionally, you'll need to ensure that card data is not transferred from a compliant database on a private cloud to a less secure storage system in a public cloud. The methods you use to prevent a leak on an internal system may not directly translate to a public cloud.
Hybrid cloud security issue 3: Poorly constructed SLAs
You may be confident that your public cloud provider can consistently meet expectations detailed in the service-level agreement (SLA), but can your private cloud live up to that same SLA? If not, you may need to create SLAs based on expectations of the lesser of the two clouds -- and that may be your private cloud.
Collect data on your private cloud's availability and performance under realistic workloads. Look for potential problems with integrating public and private clouds that could disrupt service. For example, if a key business driver for the private cloud is keeping sensitive and confidential data on-premises, then your SLA should reflect the limits to which you can use public cloud for some services.
Hybrid cloud security issue 4: Risk management
From a business perspective, information security is about managing risk. Cloud computing (hybrid cloud in particular) uses new application programming interfaces (APIs), requires complex network configurations, and pushes the limits of traditional system administrators' knowledge and abilities.
These factors introduce new types of threats. Cloud computing is not more or less secure than internal infrastructures, but hybrid cloud is a complex system that admins have limited experience in managing -- and that creates risk.
Hybrid cloud security issue 5: Security management
Existing security controls such as authentication, authorization and identity management will need to work in both the private and public cloud. To integrate these security protocols, you have one of two options: Either replicate controls in both clouds and keep security data synchronized, or use an identity management service that provides a single service to systems running in either cloud. Allocate sufficient time during your planning and implementation phases to address what could be fairly complex integration issues.
Implementing a hybrid cloud introduces more than just technical challenges; IT admins also need to address security issues. By understanding and mastering these five hurdles, hybrid cloud could offer more reward than risk.
Dan Sullivan, M.Sc., is an author, systems architect and consultant with over 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.