For many enterprises, hybrid cloud computing offers the best of both worlds; they can keep sensitive information on premises but also tap into the benefits of a platform like AWS. The unique hybrid cloud security challenges that come with that model, however, are not something to take lightly.
"Currently, there are lot[s] of holes in every aspect of hybrid cloud," said Dan Blum, principal consultant at Security Architects Partners.
The expansion of mobile and social apps, coupled with the ever-growing range of devices firms use to access information, has made IT security, in general, even more complex. Many businesses have deployed a web of security tools to address these challenges. Some use half a dozen tools or more to perform tasks such as endpoint authorization, malware detection and data encryption. Enterprises expend a lot of time, money and effort to link those tools into a cohesive whole and continually update that infrastructure to ensure they can beat the latest threats.
Public cloud vendors have taken similar steps to protect information housed in their data centers, running another half a dozen or more security tools. One of the biggest hybrid cloud security challenges is the integration of all of these disparate systems across on premises and the public cloud.
"Many of the high-profile security breaches occurred because hackers found a hole where two different systems intersected," said Marco Alcala, CEO at Alcala Consulting, Inc.
But given the complexity of these security systems, it's not always feasible to link them together. And since that work is so daunting, enterprises have searched for other ways to secure their hybrid systems.
One possibility is to replicate security controls in both public and private clouds and then ensure that data stays synchronized. This approach is possible but is also difficult because on-premises systems and cloud systems usually have antithetical designs. For example, many vendors built on-premises systems thinking that IT teams could ward off hackers once they tried to access the enterprise network. This means there wasn't a lot of security features built into products, such as OSes. Cloud vendors, on the other hand, often build security directly into OSes and other technologies.
When a company uses one vendor's tool in both the cloud and on premises -- such as Microsoft's Active Directory for user authentication -- the task becomes a bit simpler because the vendor takes on much of the integration work.
VMware has worked with public cloud vendors to connect its on-premises systems to the public cloud. VMware Cloud on Amazon Web Services (AWS), for example, is built to provide companies with a consistent architecture, operational experience and feature set -- including around security -- for both vSphere-based on-premises and AWS applications.
The gateway conundrum
But even in the best cases, holes arise. Consequently, most companies construct a gateway that acts like a firewall or a security checkpoint between their on-premises and public cloud data centers. However, as noted above, these security systems are complex, and mapping the features from one environment to the other is a tedious, sometimes error-prone process.
Standards would help. "We have seen some acceptance of standards, like OpenID, which helps with authentication, but hybrid security is so complex that it has been difficult to develop standards that provide everything that an enterprise needs," Blum said.
The gateway approach has other challenges. For instance, businesses want to encrypt data as it moves from place to place, but data has to be unencrypted as it passes through the gateway. This means businesses need to be sure that they turn encryption back on as data leaves a checkpoint. They also need to ensure that their systems encrypt data at rest -- information that sits in storage systems.
New tools address hybrid cloud security challenges
Help is now available from a variety of places. Traditional IT and security vendors, such as Cisco, IBM, RSA, Sophos, Symantec and Trend Micro, continue to enhance their products to support hybrid cloud security. Third parties also deliver niche tools that shore up specific configurations, such as Gemalto's SafeNet security system, which encrypts information for businesses that run VMware Cloud on AWS.
Niche and often cloud-based security tools have also emerged, especially around identity management. Legacy vendors, such as CA Technologies, IBM and Oracle, as well as newbies, like Atos, Centrify, Covisint, ForgeRock, Optimal IdM, Ping Identity and SecureAuth, offer systems designed to link on-premises and cloud user authentication systems. A cohesive identity management system is often the first place a business starts to address hybrid cloud security challenges.
Follow these steps to set up multifactor authentication in Azure
How storage snapshots protect public cloud data
Control cloud encryption keys with Google Cloud Key Management Service