In a previous post, we examined four hybrid cloud security fundamentals IT leaders need to understand – and be able to articulate to others in the organization. Let’s recap:
- Traditional perimeter security approaches won’t suffice
- Your threat surface is now distributed
- You need updated security tools and practices
- You share risk with cloud providers; you don't offload it
Now, let’s dig into how to tweak your security strategy accordingly. Consider this expert advice on addressing those four hybrid cloud security fundamentals – and related issues.
1. Match the right workloads to the right environments
Two of the biggest appeals of a hybrid cloud infrastructure are its flexibility and scalability. CIOs get to retain greater control over their data, scale up faster for urgent and evolving business needs, and optimize costs.
The same should be true for your hybrid cloud security strategy: You decide which environment is right for which data. Don’t let the risks associated with different data become an afterthought.
“‘Cloud first’ doesn’t mean cloud is the only option,” says Brian Wilson, CISO at SAS. “There are areas where it may make sense to keep pieces on-premises.” Deciding factors include the type of data, data volume, and data access requirements, he notes.
The buck still stops with you: Shared risk shouldn’t be confused with offloaded risk.
“To ensure that your specific security needs match up well with the security capabilities afforded to you in the chosen environment, match the right workloads to the right cloud environment,” says Michael Fuhrman, chief product officer at Flexential.
This requires a deep dive on your providers’ capabilities to ensure they meet your particular requirements. Wilson of SAS points to federation and SAML as an example, and elaborates with one of his own requirements for cloud providers:
“If you can’t federate with SAML, then we’re not doing business with you,” Wilson says. “Customers do not want providers to manage credentials or have multiple places to disable accounts when individuals leave.”
2. Evolve from perimeter defenses to identity management
As the traditional perimeter blurs, security experts recommend shifting your focus from “perimeter” to “identity.”
“Perhaps most useful [security strategy] in the adoption of a hybrid cloud at enterprise scale is the re-definition of perimeter to include identity,” says David Emerson, VP and deputy CISO at Cyxtera. “Identity is more important than ever, and multiple factors should be used to ensure it is accurately and granularly used to grant access to systems throughout your enterprise presence, and across numerous infrastructures.”
Longstanding security principles such as least privilege still apply here, and actually take on a new importance in hybrid environments: Individuals should have access only to data, privileges, and environments that they absolutely need to do their jobs. Anything more than that introduces unnecessary risk.
Laurence Pitt, global security strategy director at Juniper Networks, likewise points to identity and access management (IAM) as one of the critical strategies for strong hybrid cloud security.
“Understand who is accessing systems and data – establish user identity access management, use cloud application security broker (CASB) controls for application access, and two-factor authentication,” Pitt says. “With anytime-anywhere access, it’s critical to be alerted to unusual activity quickly to reduce the risk of a data breach.”
This is not to say that your traditional on-premises security tools need to be discarded; rather, you’re going to need a new mix. Experts also commonly recommend considering single sign-on (SSO) as part of your identity-based approached. The aforementioned SAML is one way to enable SSO.
Wilson of SAS unpacks the benefits for hybrid and multi-cloud environments:
“SAML puts the customer in control – if they want multi-factor, it’s up to them,” Wilson says. “You, as the customer, are in charge of informing the cloud providers who is authorized to do what and when. Providing accurate information requires that you have a solid identity, account management and governance strategy in place.”
3. Ensure visibility and ownership
Another key strategy: Putting the tools and policies in place to ensure you have a 360-degree view of your hybrid infrastructure. If your hybrid cloud adoption introduces blind spots, those are vulnerabilities – or a potential “hole in the cloud,” as Mike O'Malley, vice president of carrier strategy and business development at Radware, calls it.
“To ensure security in a hybrid cloud environment, IT leaders need complete visibility of their entire network as well as a unified solution that can enforce security policies across varied environments,” O’Malley says.
Along with visibility, ownership of all assets and environments is crucial.
“Each asset must have an assigned owner,” Juniper’s Pitt says. “Duties can be segregated. For example, a team can be responsible for server platforms and another team responsible for ensuring operating system patch-compliance, but without clear ownership, a risk may go unaddressed and become a business vulnerability.”
4. Consider necessary technology and cultural shifts
Brajesh Goyal, VP of engineering at Cavirin, points to automation as a good example of a technical strategy to strengthen security. It offers significant potential for helping to secure the distributed and always-changing nature of hybrid cloud, and hybrid cloud's frequent partner, containers. (See What’s next in IT automation: 6 trends to watch.)
But hybrid cloud security may depend just as much on cultural shifts as technical changes. If security has traditionally been a final (or near-final) step in your pipelines and processes or something that only occurs after an incident, you should examine how to foster the cultural changes necessary for making security a part of nearly everything you do.
Just as with the software development pipeline, automation and cloud-native security technologies aren’t magic acts. They require people to make them work well.
For some organizations, this began with DevOps. It’s also a reason why that now-ubiquitous term has been joined by its younger sibling, DevSecOps.
“Ideally, organizations should adopt new tools that promote cloud best practices with automation and foster a DevSecOps culture shift with continuous security models,” Goyal says.
Don’t underestimate the culture change associated with DevSecOps and baking security into the early stages of work, says Red Hat chief security architect Mike Bursell. There is a cultural divide between security people and “normal” people, he writes. “The problem is this: Security folks know how things should be, and that’s secure. They’ve taken the training, they’ve attended the sessions, they’ve read the articles, they’ve skimmed the heavy books, and all of these sources are quite clear: Everything must be secure. And secure generally means ‘closed’ – particularly if the security folks weren’t sufficiently involved in the design, implementation, and operations processes.
“Normal people, on the other hand, generally just want things to work. There’s a fundamental disjoint between those two points of view that we're not going to get fixed until security is the very top requirement for any project from its inception to its ending.” (Read the full article: Talking to normal people about security. )
5. Do a thorough (perhaps overdue) audit
There’s a general theme here, one worth calling out on its own: Done right, hybrid cloud can improve your security posture. That won’t happen automatically, of course.
But here’s a good first step: Moving to a hybrid cloud infrastructure is a great excuse for overhauling security tools and practices that may be overdue for an audit anyway. Treat security as a baked-in component of your hybrid cloud strategy, not as a nuisance that’s bolted on at the end.
“Moving into the cloud is an opportunity to review security practices and implement new or advanced services to improve your performance and posture,” Pitt says. “Many enterprises have utilized the same tools for a number of years, and cloud adoption provides the chance to review features and configuration with an eye to the future.”