Every enterprise today seems to be moving toward cloud computing, but the term itself can be nebulous. And more critically, is the cloud secure? The answer, decidedly, is that it depends. To gain the advantages of the cloud without succumbing to the risks, a plan for cloud computing security should accompany any migration.

Choose Your Cloud: Public, Private or Hybrid?

Cloud computing refers to the delivery of on-demand computing resources — from applications to data centers — over the internet on a pay-for-use basis. As a result, enterprises gain:

  • A scalable resource to meet changing demands;
  • A pay-as-you-go metered service; and
  • Self-service access to all the IT resources the organization needs.

Although all clouds promise to provide a responsive and efficient way to deliver IT services, they’re not all created equal. Public clouds are owned and operated by companies promising rapid access to affordable computing resources over a public network — think Amazon Web Services (AWS) or Microsoft Azure. Private clouds are operated to serve a single organization, whether they’re internally or externally managed and hosted. Enterprises with private clouds gain more control and avoid sharing resources with other cloud customers.

The increasingly popular hybrid cloud — such as IBM Cloud — combines public cloud computing and/or storage with a private cloud infrastructure. Though they are independent, the public and private environments communicate via an encrypted connection. The global hybrid cloud market was valued at more than $38 billion in 2018, and it is projected to reach $1 trillion by 2024, according to Mordor Intelligence. While the hybrid cloud market has experienced significant overall growth in recent years — especially compared to other cloud services — it makes sense to proceed cautiously where cloud computing security is concerned.

Is the Cloud Secure? Only If You Think About Security First

It’s easy to get swept away by the advantages that a hybrid cloud could provide in handling fluctuating workloads and mushrooming data sets. Many industries, particularly financial, retail and healthcare, are racing toward cloud adoption. But in the rush, security can sometimes struggle to keep up.

In one 2017 study, 42 percent of organizations reported an attack within their hybrid cloud environments, according to Capsule8. Although the cloud provides some protection against zero-day exploits and insider attacks, enterprise security teams must ultimately secure workloads and data in the cloud just as they do for on-premises environments. This can be tricky. Consider the fact that 44 percent of respondents to a Firemon survey reported that IT staff or application owners are responsible for securing the cloud, not their security teams.

Security organizations need a robust framework to manage advanced threats, compliance requirements and the accelerating pace of business.

Why You Should Consider Containers

Application containers have evolved alongside hybrid cloud adoption. Containers bundle apps with all their operating system dependencies, giving organizations the agility to develop and deploy software faster and to provision and start applications quickly. Containers isolate applications from one another and the host, improve security, and encourage teams to adopt the principle of least privilege — granting access only to users with a demonstrated need.

Because containers run the same in development as they do in quality assurance and production, it’s easy to move them between environments, including clouds. And they have the potential to be more secure because they’re never patched and are simply replaced by new versions. This shifts a large portion of the security controls toward the earlier end and into DevOps.

Build Security Into the Design Process

DevOps refers to software development (Dev) processes combined with IT operations (Ops). DevOps shortens software development and better aligns the process with business objectives. Before applications are ever put into production, developers need tools that automatically highlight security risk and report vulnerabilities in code. When DevOps centers on security — as DevSecOps— access management, authentication and authorization become easier in both native and migrated cloud apps. But DevSecOps also means that development, operations and security teams have to join forces.

Cloud computing security must work in conjunction with DevOps. Embedding security from the start can allow much greater operational efficiency and less lost productivity after a breach. Given that hybrid cloud architecture spans multiple systems, it can broaden an organization’s attack surface. And yet, few companies have sufficient resources to secure the full range of environments. Automation is the key to scanning for vulnerabilities, applying consistent policies for identity and access management (IAM), reviewing logs and records, and ensuring a seamless experience for users.

Recognize Your Responsibility

Too many enterprises adopting public or private cloud environments fail to understand who is responsible for security. As one major cloud service provider (CSP) stated, they are responsible for the security of the cloud, and the enterprise is responsible for security in the cloud, including all the applications and databases running there.

True cloud security takes a collaborative effort, but CSPs provide varying levels of security, and what’s covered can depend on whether you’ve signed up for a software-as-a-service (SaaS), platform-as-a-service (PaaS) or infrastructure-as-a-service (IaaS) model. Therefore, security teams must understand which security and compliance provisions their CSPs include and complement them to stay on the right side of regulations such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI-DSS).

No matter what services your enterprise chooses, your security organization and IT team must still protect customer data, enforce access controls, monitor for malware infiltration and educate users. Your architectures, policies and tools must be consistent across every environment — from on-premises to public or private clouds to endpoints — to guard against constantly changing internal and external threats.

Learn more about securing your hybrid cloud

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read