Like it or not, cloud-based IT services are here to stay. With almost universal adoption rates, cloud has become part of mainstream IT. But here’s the catch: IT leaders aren’t moving everything to the cloud. Enter hybrid IT – a mixed environment – which companies see as enterprise strategy for a long time.
Managing a hybrid IT infrastructure brings equal amount of complexity and ease. It involves a complex array of interwoven, often inextricable pieces of must-not-fail application technology that must function in unison.
The frustrating thing about managing security in a hybrid IT environment is that you can have the best policies and controls in the world, but a small gap in any part of the same environment can open the door to exploits for the organisation as a whole. With this in mind, here are five gaps that companies with a hybrid IT environment should look out for and address.
Inconsistent code testing for security vulnerabilities
Application security testing is becoming increasingly challenging in the era of DevOps. With the availability of application deployment via DevOps pipelines directly into a public cloud, the developer teams are facing even higher time pressure to release applications faster. With security testing often taking place at the end of the development cycle, organisations risk delaying the application development process and extending the go-to-market deadline.
Rather than waiting to test codes for security vulnerabilities at the end of a development cycle – (whether that cycle is agile or waterfall – there are sound economic reasons to consistently perform these tests at earlier intervals prior to deployment, such as when a code is integrated into the trunk in the DevOps pipeline. This “shift left” approach to security testing can identify the use of vulnerable code libraries or other insecure coding methods early enough to avoid an expensive rewriting of code to eliminate vulnerabilities.
Inconsistent access management and governance
While many companies have invested heavily in access management and governance tools, these mainly focused on existing systems. Given its nature, public cloud environments often resemble a patchwork, which is managed by various stakeholders and departments within an organisation.
However, business and IT leaders need to remember that everything is interlinked in hybrid environments. With access permissions becoming increasingly an attractive target to hackers, a centralised approach to access management and governance is necessary to consistently enforce policies and provide visibility of all access privileges and unusual usage.
Inconsistent incident response in concert with service providers
Like access management and governance, most enterprises have invested heavily in incident monitoring and response processes to minimise damage when breaches succeed. The challenge in a hybrid environment is that service providers need to be factored into both the monitoring and the response processes.
Many organisations don’t adequately plan for how to engage with cloud service providers during breaches, which can cause delays in responding. Even though many cloud service providers have security controls that exceed that of their customers, no security is impossible to breach, and there is a point where the service provider’s security responsibility ends, and the enterprise’s security begins. Organisations should be aware of where those lines are drawn, and have procedures and controls that bridge potential gaps.
Inconsistent encryption policies
Given the nature of hybrid cloud environments, data is exchanged between enterprise servers and the cloud. In an ideal world, data should only be transferred in the encrypted form. With the current threat landscape and many employees relying on open-source solutions, IT managers need to establish an integrated encryption policy across the entire hybrid infrastructure.
While new vulnerabilities are identified in existing software, configuration policies must be updated, and systems and applications must be patched. With increasing internal and external pressure, IT and operations teams are expected to demonstrate to auditors that policies are in place and being enforced when required by regulations.
The scale of this effort in an enterprise rapidly adopting cloud instances, and subject to multiple regulations can be overwhelming. The operations teams that maintain the automation for deploying servers need to work closely with those responsible for maintaining security policies and they need to be educated to look for gaps in coverage across the hybrid environment.
As enterprises evolve towards more use of cloud infrastructure and services, it will become increasingly necessary to mind the security gaps between traditional and cloud environments. By observing the traditional pitfalls and making appropriate adjustments, companies will be better placed to defend their infrastructure against data breaches and cyber-attacks in today's changing world.
Travis Greene is Senior Director of IT Operations Management at Micro Focus