Spanning the vast universe of public cloud and the on-premises systems that still handle the bulk of IT operations,...
hybrid cloud is complex. And, for many enterprises, much of that complexity revolves around security.
According to Alert Logic's 2017 Cloud Security Report, hybrid cloud networks experience, on average, more than double the security incidents as public cloud installations. Part of the reason a hybrid cloud deployment can introduce security challenges, said Greg Schulz, founder of IT consulting and advisory firm StorageIO, is its many moving parts.
"You generally have more points of networking, connectivity and authentication [in hybrid cloud], all of which need to be managed," Schulz said.
Many hybrid cloud security risks lurk in the handoff points between the private and public infrastructure, said Mark Rapley, director of operations at KWIC Internet, a service provider. In a hybrid cloud deployment, both private and public resources need access to full data sets, which heightens the need to protect communication between these resources.
"Hybrid cloud introduces a single pressure point that can potentially endanger sensitive information," he said.
Another common challenge with hybrid cloud security is a lack of consistent policies and processes across the disparate infrastructures, said Doug Cahill, analyst at Enterprise Strategy Group (ESG).
"This issue is, in large part, due to the fact that 70% of organizations currently use … one set of controls for their on-premises infrastructure and another for their public cloud footprint," Cahill said, citing recent results from an ESG research survey. Fortunately, many enterprises also seem to recognize this problem: 70% of participants in the same ESG research study indicated they plan to unify security controls across their hybrid cloud over the next 24 months.
But that change alone won't address all hybrid cloud security challenges. For example, another fundamental issue that IT teams must address is the evolution of network security controls. Many legacy controls won't be able to secure public cloud infrastructure, as users don't have access to the physical network.
"As such, a workload-centric approach to secure a company's public cloud footprint is required," Cahill said.
Additionally, hybrid cloud security is often problematic because of the various customizations and one-off configurations IT teams need to make to connect on-premises and cloud workloads, said Andras Cser, vice president and principal analyst at Forrester Research.
Overcome these challenges
April C. WrightSecurity and compliance risk management consultant, Architect Security
Despite these lofty challenges, there are ways to ensure your hybrid cloud deployment is secure.
Many of the tried-and-true security practices IT teams have implemented for years, such as zero-trust models and data encryption, are just as critical -- if not more so -- in hybrid cloud.
Hybrid cloud does, however, demand new security practices as well. For example, enterprises need to establish clear boundaries between their security responsibilities and those of their cloud provider, said April C. Wright, security and compliance risk management consultant at Architect Security. In the event either party detects unusual network traffic or other potential risks, there should be clear lines of communication and action.
"You can avoid a lot of problems by better planning and integration," she said.
Don't get stuck in your ways
A public cloud platform includes default security settings -- some of which might be more effective than what your organization has implemented on premises, Schulz said. Don't, out of habit, seek to change those default settings to mirror what you have on premises without first weighing your options. Otherwise, you could put yourself at risk.
While there many security tools on the market that can also help protect hybrid cloud workloads, there's no magic fix at the end of the day, Schulz said.
"You may have to tweak and glue and create some scripts as part of the setup," he said.
Security as a culture
To fully protect their hybrid cloud, enterprises require a cultural shift just as much as a technical one.
"The biggest mistake organizations make when building their cybersecurity program is they build it to impress the auditor and not to stop the attacker," said Avani Desai, principal privacy leader at Schellman & Company, a security, privacy and compliance assessor. Rather than view cloud security as a check-box item, incorporate security into the initial design of the hybrid cloud deployment.
"Once organizations start this process and begin to think from the hacker's point of view proactively, you will see an increase in the security and privacy posture of organizations and a decrease in the impact of breaches to the users," Desai said.
One way to infuse security early on in the hybrid cloud planning process is through DevSecOps, Cahill said. This automates the application of security checks and controls in development, test and production environments.