Hybrid Cloud Security

Over the years, we’ve worked with a variety of companies that use public, private, and hybrid cloud configurations. In some cases, an organization insists on using on-premises computing, which we usually means they’re missing out on many advantages of the cloud. We advise them to consider a hybrid cloud model. We agree that hybrid clouds require careful initial configuration & migration and ongoing diligent management over time. Proper hybrid cloud security protects data, applications, and resources across all environments, while allowing access to useful workloads in the cloud environment. We’ve assembled six areas to address with hybrid cloud security.

1. Start with Physical Security

We’ve written about the shared responsibility model before with respect to AWS. For public cloud components, the provider (e.g., Amazon, Microsoft, Google) manages physical security. You’re responsible for everything on your private cloud (in-house infrastructure). Do you limit physical access, have locks & cameras, and ensure a controlled environment (e.g., temperature, humidity). You must ensure that you use equivalent controls for both the cloud and on-premises components of your network. Note, a good first step is to create an inventory of all the assets across your environment – in the cloud, on-premises, and endpoint devices.

2. Factor In Administrative Security

The biggest risk in hybrid cloud environments is your employees. You should plan for that! First, exercise the principle of least privilege. Also, spend some time reviewing your data protection and retention policies. Put together a risk assessment. Is your disaster recovery plan up to date? And as part of your onboarding, definitely invest in some employee training around securing your data and environment. Make sure everyone in your organization knows how to avoid cyber security threats.

3. Consider Interoperability and Configuration BEFORE Cloud Adoption

When data is spread across cloud and on-premises infrastructure, you need a holistic approach to security. Hybrid solutions transfer data between on-premises and cloud resources. Whenever data is transferred, it could be intercepted, lost, or corrupted. The best defense is defining uniform policies for all hybrid transmissions. That means revisiting principle of least privelege for systems, not just people. One misunderstanding is that providers take care of all the common security functions – Identity and Authorization Management, Firewalls, and Backups. The cloud provider offers tools, but all environments must be secured.

General Security Measures

Employ role-based access, endpoint security, multi-factor authentication (MFA), reliable (and tested) data backup & recovery, and change monitoring.

Encryption

For data in transit, ensure strong network session encryption. For data at rest, use full disk encryption and hardware encryption.

Virtual Private Networks

VPNs enable secure connections between components running in different environments.

4. Secure All Endpoints

Endpoints are the most vulnerable components of your computing environment. Endpoint security means protecting endpoints or entry points of end-user devices (e.g., desktops, laptops, and mobile devices) from malicious actors. Antivirus software has been the primary solution to protecting endpoints because it satisfies regulatory, governance and compliance audits. Unfortunately, it provides minimal security protection. Antivirus is good for catching known threats using a blacklist but often fails to detect sophisticated malware. More advanced endpoint detection tools use automation to adapt to evolving threats. Consider a Bring-Your-Own-Device (BYOD) policy to mitigate other threats. Companies working with sensitive information should provide their own devices that restrict access and available applications.

5. Automate When Feasible

The best practices for data security in hybrid environments includes automation of all possible security options, including coding & securing the infrastructure of the hybrid environment and keeping endpoints up-to-date.

6. Actively Monitor

It’s essential to monitor attack vectors, such as unpatched software, weak credentials, missing encryption, and improperly configured cloud infrastructure. Monitoring hybrid clouds can be a challenge because of the diversity of all the services you use. In addition, managing alerts is complex affair and log files can be overwhelming. Consequently, tooling is essential.

Securing Your Hybrid Cloud

Start as soon as possible — the only time it’s too late is when it’s too late. Hybrid cloud security involves protecting data, applications and infrastructure, including on-premises and public cloud components. Implementation must address business processes, workloads, and management across various IT environments. Cloud security is a shared responsibility between cloud providers who secure their infrastructure and organizations who must protect the applications, data, on-premises computing, and organization endpoints. And it’s an ongoing responsibility — your organization must monitor and respond regularly to emerging threats and issues.