At first, there was “moving to the cloud,” then there were private and public clouds, which progressed into hybrid clouds. The domains of cloud computing have been evolving rapidly, galloping forward to meet the business needs of an industry that relies on data more than ever before.
The succession of this progression also follows a business logic, this time, one related to risk. When businesses first moved to the cloud, they wanted to scale operations easily and enable working everywhere. Then risks joined the equation, and businesses preferred using their own clouds. Some moved just a part of their workloads to the public cloud to save costs, but many agree that the most sensible model nowadays is a hybrid cloud, in which one or more clouds are part of the infrastructure, with or without on-premises assets. Today’s reality is also multicloud, with businesses relying on multiple vendors to meet their cloud computing needs.
Humans are often said to have their feet on the ground and their heads in the clouds. It’s a good analogy for hybrid cloud infrastructures. Some of it may still be on-site, some of it could be a private cloud and some workloads that carry lower risks can be placed on a public cloud where costs are lower and scaling up and down can be extremely agile.
What about risks? While they still exist, there are ways to mitigate them and still enjoy the best of both worlds that a hybrid infrastructure can offer.
Does Scaling Up in the Cloud Mean Scaling Up Risk?
The short answer: It depends.
When it comes to moving data to the cloud, a few core risk components do repeat for most organizations:
- Storage of data and movement of data between clouds or to and from on-premises infrastructure needs to be monitored and protected to prevent interception by external parties.
- Compliance and governance in highly regulated sectors can be more challenging in a distributed environment, like that of a hybrid cloud.
- Complexity in the supply chain is a concern when hybrid clouds and on-premises assets each operate solutions from a variety of vendors, open-source applications and code, containers, and the underlying core of the cloud provider itself. This complexity can hinder visibility into possible vulnerabilities and impede governance and compliance, presenting very little control over the security of each component, its code and the controls integrated by third-party vendors.
- Another complexity is any solution sold as part of a cloud deal, sometimes for no extra charge for a period of time. These tools may appear to be a “gift” but they add to governance and compliance needs, require patching and can be a bad fit for the organization if they are hard to integrate with other parts of the environment.
- Access management in the cloud is critical, especially privileged access. In the cloud, people from within and outside the organization are constantly using and moving data, so excessive permissions can result in a security incident.
- A skill shortage in the areas of cloud computing and cloud security makes it harder for organizations to get everything right when it comes to configuring and gaining proper visibility into their deployments. Without specialized staff, and forced to share responsibility for security with their cloud providers, IT teams can find it hard to keep up with the evolving threats that apply to their company’s risk profile.
Security On-Premises, Security in the Cloud
While a move to the cloud can definitely present a new set of risks, it is not an insurmountable task. It does take a completely fresh approach to information security, rather than a lopsided attempt to carry controls from on-premises networks to cloud deployments.
A few points to consider when branching out to hybrid cloud models are:
Begin with the end in mind. Before deciding on moving to the cloud, evaluate the needs, look into goals and determine in advance what data or workloads need to be scaled and why. Speak to a cloud architect and your security team to tailor a starting point for your implementation.
Some parts of cloud security are the same as IT security. Approach cloud security as you would approach any security program. Before the project begins, start with proper assessments and classification of data and assets, make decisions about where each should be operated, model cloud threats, assess risk, and then apply controls and monitoring as you would for on-premise infrastructure.
Clouds differ from an on-premises infrastructure in their highly connected nature. Insecure interfaces, permissive access and malicious actors from both inside and outside the environment can pose a threat to everything running in the cloud. Moreover, resources in the cloud are delivered by software and through the internet rather than by local resources. This means infrastructure as code. For example, provisioning happens through machine-readable configuration files rather than hardware, which requires a different way of thinking when it comes to securing these resources.
How, then, does one approach security in this case? It’s about building it into the deployment on every layer.
Assess, plan and deploy security controls, including:
- Physical controls to guard underlying hardware
- Technical controls to provide centralized management of applications and users, control least privilege access, encrypt data, etc.
- Administrative controls, or governance, to effect cultural change in the company and help users understand their role in securing their use of the cloud
- Incident response plans in place and plan for failover and disaster recovery
This is not all. After these basic controls are in place, and since much of what’s served on the cloud is based on code, it is essential to build security into code as well. Security as code is the concept that security is integrated into everything that runs on the cloud, from the inception stage, throughout the life cycle of each application and in containerized development, infrastructure templates, codified security standards and policies, etc.
Use open, easy-to-integrate tools to centralize management of the hybrid cloud and automate every possible aspect of your deployment. Manually managing provisioning, user onboarding, permissions, patching and monitoring, to name a few, is simply not feasible anymore. Automation must become a large part of the cloud environment to help create repeatable processes, detect issues faster and adhere to compliance demands with ease.
When it comes to third parties, draft your security standards into contracts, define liability and monitor access diligently to guard the interface into the company’s realm and its data.
Securing the cloud is a journey of planning and small wins along the way. It won’t all happen at once, but taking steps in the right direction will continuously help bolster security and allow the organization to keep reaping the benefits of the cloud era.
Strength in Cloud Heterogeneity
Some final words about hybrid clouds: Just as we segment networks and segregate sensitive zones and users, hybrid clouds that feature heterogeneous environments can be a strong promoter of overall security for the organization, providing control, choice and cost reduction without compromising security, scalability or agility.
On Jan. 29, 2020, we will be hosting a Cybertech panel focusing on security threats in the cloud era. Join us at 14:25 in Hall C1-P1 to hear from experts in the field about how they tackle various issues and take away lessons on reducing risk in hybrid cloud deployments.
Principal Consultant, X-Force Cyber Crisis Management, IBM