Hybrid cloud deployment numbers are soaring. According to a report by 451 Research, “Going Hybrid: Demand for Cloud and Managed Services Across Asia-Pacific”, which surveyed over 400 IT decision makers in some of the largest businesses in key vertical markets, one in two businesses (52 percent) are using or planning to use a fully integrated hybrid environment.
The technology has clear security advantages, protecting critical data by offering companies choices on where best to store it. But hybrid cloud can also expose them to new threats. The survey discovered IT management believes hybrid cloud improves operational security (according to 59 percent of respondents), enhances disaster recovery (34 percent), and network security (31 percent). Yet the same group also sees hybrid cloud exposing security flaws in critical areas, including encryption (46 percent of respondents), management and monitoring (44 percent), and identity and access management (33 percent).
Resolving the complexity of developing, maintaining and securing a hybrid cloud environment can be challenging for businesses. The traditional approach to security defines perimeters, raises firewalls around the core system to guard against intruders, posts intrusion prevention systems to identify and root out unwanted programs and hackers, and guards critical sectors with strong access control.
Security shifts from server to data
However hybrid cloud turns traditional security on its head. The perimeters are blurred, and critical data flows freely between enterprises’ systems and those of the cloud providers exposing data to new risks. That demands a new model of security.
Traditional on-premises architecture assumes sensitive data never leaves a company’s core IT infrastructure perimeter. In that scenario, security teams monitor data access by controlling infrastructure perimeters, including to the apps and systems that use the data.
With hybrid cloud, data flows beyond enterprise perimeters and the security team’s control. Drawing perimeters that use signature-based defenses and restrict access to servers is insufficient. In this scenario, data should be secured while at rest or in transit. In a flexible, multi-tenant environment like cloud, prying eyes are always searching for vulnerabilities. Hence, strong data encryption is not just an option; it must have the highest priority to keep sensitive information from those eyes.
Data is most vulnerable when traveling between on-premises infrastructure and the cloud provider’s premises. That is why many security-minded organizations rely on private leased lines, both for latency and security.
Compatibility is key
In a dynamic cloud environment, threats can strike anywhere and at any time. A simple oversight like patching network devices incorrectly during regular maintenance at the cloud server farm or a sophisticated attack on a less secure app in the cloud can increase risk.
Due diligence of the cloud provider environment is vital. CIOs should never rely solely on an outside vendor to keep their network secure. Cheaper subscription or operating costs count for nothing when a security breach that damages a company’s operations and reputation happen.
The first step to address security risks is to understand whether a providers’ security policies are compatible with your own company’s security. If gaps are uncovered, IT needs to act. After all, you are responsible to your customers for any breach.
The CIO must closely monitor security policies and capabilities across both the enterprise’s and cloud provider’s infrastructure. IT departments must ensure proactive measures are taken in case of a breach. Building such capability takes time but provides a secure foundation for enterprise networks using hybrid cloud.
Lastly, cloud providers must be fully aware of how compliance requirements affect their customers. This is particularly important for cloud servers in jurisdictions with strict data sovereignty or data privacy laws, like the European Union’s GDPR or Indonesia’s general data localization requirements.
In cloud environments, it’s easy to spin new instances. But what happens to old ones? This is often referred to as zombie instances or cloud zombies. These are active but unmonitored clouds. The problem with cloud zombies is they quickly become outdated, and are seldom patched, making them vulnerable to exploitation.
Cloud providers should have a clear and strong lifecycle management and governance process to eliminate instances no longer required.
Another important step is to develop the ability to migrate workloads to other clouds. This is increasingly common in hybrid environments where specific workloads are moved to different environments for regulatory, disaster recovery or performance reasons.
A clear service level agreement (SLA) covering how a provider handles such migration is vital to avoid lock-ins that could impact the enterprise network.
Setting realistic expectations
Despite claims that cloud is less secure, the opposite is most often true. Established cloud providers always keep their infrastructure secure and invest in the latest security solutions, enforcement and talent, as they know that security issues top the list of enterprise priorities.
No doubt cloud security is complex and requires new strategies. According to the APAC Hybrid Cloud survey, that is why CIOs are looking to managed security services for the expertise and experience to successfully deploy and manage hybrid clouds. The survey shows companies look to managed services for professional and consulting services (45 percent), risk and compliance management (38 percent), and incident response and remediation (37 percent).
Managed security service providers can also assist in designing a framework to meet a company’s specific security needs in a hybrid cloud. They can help CIOs manage risk and meet compliance requirements in highly regulated industries or geographies.
If a breach occurs, managed security service providers can help with incident response and remediation processes that require specialist skills and tools beyond the enterprise’s own infrastructure. They provide a holistic perspective to security and insights to vulnerabilities that internal security teams may miss.
Access to managed services’ hybrid cloud talent and experience is important to ensure enterprises can maintain control of data – whether it is on-premises or in the cloud.
Dave Scott, Solutions Director, NTT Com Managed Services