At first, there was “moving to the cloud,” then there were private and public clouds, which progressed into hybrid clouds. The domains of cloud computing have been evolving rapidly, galloping forward to meet the business needs of an industry that relies on data more than ever before.

The succession of this progression also follows a business logic, this time, one related to risk. When businesses first moved to the cloud, they wanted to scale operations easily and enable working everywhere. Then risks joined the equation, and businesses preferred using their own clouds. Some moved just a part of their workloads to the public cloud to save costs, but many agree that the most sensible model nowadays is a hybrid cloud, in which one or more clouds are part of the infrastructure, with or without on-premises assets. Today’s reality is also multicloud, with businesses relying on multiple vendors to meet their cloud computing needs.

Humans are often said to have their feet on the ground and their heads in the clouds. It’s a good analogy for hybrid cloud infrastructures. Some of it may still be on-site, some of it could be a private cloud and some workloads that carry lower risks can be placed on a public cloud where costs are lower and scaling up and down can be extremely agile.

What about risks? While they still exist, there are ways to mitigate them and still enjoy the best of both worlds that a hybrid infrastructure can offer.

Does Scaling Up in the Cloud Mean Scaling Up Risk?

The short answer: It depends.

When it comes to moving data to the cloud, a few core risk components do repeat for most organizations:

  • Storage of data and movement of data between clouds or to and from on-premises infrastructure needs to be monitored and protected to prevent interception by external parties.
  • Compliance and governance in highly regulated sectors can be more challenging in a distributed environment, like that of a hybrid cloud.
  • Complexity in the supply chain is a concern when hybrid clouds and on-premises assets each operate solutions from a variety of vendors, open-source applications and code, containers, and the underlying core of the cloud provider itself. This complexity can hinder visibility into possible vulnerabilities and impede governance and compliance, presenting very little control over the security of each component, its code and the controls integrated by third-party vendors.
  • Another complexity is any solution sold as part of a cloud deal, sometimes for no extra charge for a period of time. These tools may appear to be a “gift” but they add to governance and compliance needs, require patching and can be a bad fit for the organization if they are hard to integrate with other parts of the environment.
  • Access management in the cloud is critical, especially privileged access. In the cloud, people from within and outside the organization are constantly using and moving data, so excessive permissions can result in a security incident.
  • A skill shortage in the areas of cloud computing and cloud security makes it harder for organizations to get everything right when it comes to configuring and gaining proper visibility into their deployments. Without specialized staff, and forced to share responsibility for security with their cloud providers, IT teams can find it hard to keep up with the evolving threats that apply to their company’s risk profile.

Security On-Premises, Security in the Cloud

While a move to the cloud can definitely present a new set of risks, it is not an insurmountable task. It does take a completely fresh approach to information security, rather than a lopsided attempt to carry controls from on-premises networks to cloud deployments.

A few points to consider when branching out to hybrid cloud models are:

Begin with the end in mind. Before deciding on moving to the cloud, evaluate the needs, look into goals and determine in advance what data or workloads need to be scaled and why. Speak to a cloud architect and your security team to tailor a starting point for your implementation.

Some parts of cloud security are the same as IT security. Approach cloud security as you would approach any security program. Before the project begins, start with proper assessments and classification of data and assets, make decisions about where each should be operated, model cloud threats, assess risk, and then apply controls and monitoring as you would for on-premise infrastructure.

Clouds differ from an on-premises infrastructure in their highly connected nature. Insecure interfaces, permissive access and malicious actors from both inside and outside the environment can pose a threat to everything running in the cloud. Moreover, resources in the cloud are delivered by software and through the internet rather than by local resources. This means infrastructure as code. For example, provisioning happens through machine-readable configuration files rather than hardware, which requires a different way of thinking when it comes to securing these resources.

How, then, does one approach security in this case? It’s about building it into the deployment on every layer.

Assess, plan and deploy security controls, including:

  • Physical controls to guard underlying hardware
  • Technical controls to provide centralized management of applications and users, control least privilege access, encrypt data, etc.
  • Administrative controls, or governance, to effect cultural change in the company and help users understand their role in securing their use of the cloud
  • Incident response plans in place and plan for failover and disaster recovery

This is not all. After these basic controls are in place, and since much of what’s served on the cloud is based on code, it is essential to build security into code as well. Security as code is the concept that security is integrated into everything that runs on the cloud, from the inception stage, throughout the life cycle of each application and in containerized development, infrastructure templates, codified security standards and policies, etc.

Use open, easy-to-integrate tools to centralize management of the hybrid cloud and automate every possible aspect of your deployment. Manually managing provisioning, user onboarding, permissions, patching and monitoring, to name a few, is simply not feasible anymore. Automation must become a large part of the cloud environment to help create repeatable processes, detect issues faster and adhere to compliance demands with ease.

When it comes to third parties, draft your security standards into contracts, define liability and monitor access diligently to guard the interface into the company’s realm and its data.

Securing the cloud is a journey of planning and small wins along the way. It won’t all happen at once, but taking steps in the right direction will continuously help bolster security and allow the organization to keep reaping the benefits of the cloud era.

Strength in Cloud Heterogeneity

Some final words about hybrid clouds: Just as we segment networks and segregate sensitive zones and users, hybrid clouds that feature heterogeneous environments can be a strong promoter of overall security for the organization, providing control, choice and cost reduction without compromising security, scalability or agility.

On Jan. 29, 2020, we will be hosting a Cybertech panel focusing on security threats in the cloud era. Join us at 14:25 in Hall C1-P1 to hear from experts in the field about how they tackle various issues and take away lessons on reducing risk in hybrid cloud deployments.

More from Cloud Security

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read

Rationalizing Your Hybrid Cloud Security Tools

3 min read - As cyber incidents rise and threat landscapes widen, more security tools have emerged to protect the hybrid cloud ecosystem. As a result, security leaders must rapidly assess their hybrid security tools to move toward a centralized toolset and optimize cost without compromising their security posture. Unfortunately, those same leaders face a variety of challenges. One of these challenges is that many security solutions create confusion and provide a false sense of security. Another is that multiple tools provide duplication coverage…

3 min read

New Generation of Phishing Hides Behind Trusted Services

4 min read - The days when email was the main vector for phishing attacks are long gone. Now, phishing attacks occur on SMS, voice, social media and messaging apps. They also hide behind trusted services like Azure and AWS. And with the expansion of cloud computing, even more Software-as-a-Service (SaaS) based phishing schemes are possible. Phishing tactics have evolved faster than ever, and the variety of attacks continues to grow. Security pros need to be aware. SaaS to SaaS Phishing Instead of building…

4 min read

The Importance of Modern-Day Data Security Platforms

4 min read - Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

4 min read