Hybrid cloud security 101: What IT executives need to know
As IT managers look deeper at hybrid cloud architecture, many realize they need to re-examine old rules governing traditional data center security. Business processes sometime need adjustments to make the hybrid cloud safe and secure for companies, users, and customers.
Certainly, the hybrid cloud infrastructure has a lot of promise and offers plenty of benefits. With a hybrid cloud, business-critical data and applications are typically hosted in private clouds. Less-critical business data is hosted in public clouds, where many companies’ data can be safely and securely stored. Public clouds cut infrastructure costs, while private clouds allow companies to maintain their grip on their most important data and application assets. It’s a good balance.
In the past, firewalls and security hardware were standard components for IT system security in corporate data centers. But data center tools don’t completely fill the requirements of hybrid clouds. You need unique security tools and methods to keep pace with the cloud’s portability and support for moving data anywhere, anytime.
“Normally you think of security as being in house,” says Simon Leech, chief technologist for Hewlett Packard Enterprise’s digital solutions and transformation team. “But when you move some operations to the cloud, you need a larger view of security.”
I’ve seen so many projects where they put together a plan and a week before deployment they say, ‘Let’s give security a look.’ Those people then have a list of security checks that delay the launch. So the next time, no one asks the security team because they don’t want delays.
Security has always been a concern in traditional data centers. However, with hybrid clouds, IT leaders need to be even more vigilant about building a vault around data, wherever it is stored. To do that, CEOs, CIOs, CTOs, and other IT executives need to understand how hybrid clouds work, how they differ from traditional data centers, and how they impact particular security processes and technologies. It can be a complicated maze, requiring security professionals to develop strategies and a road map to making hybrid cloud security a certainty for their companies.
Let’s begin with an outline of the general concepts that relate particularly to hybrid cloud security, including the specific security measures required by private and public clouds and the overarching importance of maintaining responsibility for your company’s data, even when someone else is hosting your cloud.
What to avoid: a real-life cloud security nightmare
The two most-mentioned drivers for companies moving to hybrid cloud architectures are operational agility and cost reduction, according to a July 2016 study by 451 Research. In a survey of 250 North American IT executives, 83 percent of insurance IT executives rated agility as the primary business driver for the move, followed by 80 percent of healthcare IT executives and 72 percent of telecommunications executives. “These industries are dealing with huge volumes of data spread across massive infrastructures, so leveraging a hybrid cloud strategy makes sense,” the study states. “And each of them are highly regulated industries, with tough security and risk management mandates.”
Those needs are real, but so are the risks and worries that give IT leaders heartburn.
How serious are the risks of data breaches and attacks in the cloud?
You could ask the IT leaders who ran Code Spaces, an online code hosting service that was permanently shuttered in June 2014 after a massive distributed denial-of-service attack on its cloud account, which was hosted by Amazon Web Services (AWS). The damage to the Code Spaces cloud occurred after an attacker invaded and accessed the company’s AWS account and then deleted most of the coding projects that were being hosted for customers, as well as all of the virtual machines that held the data.
The damage to the company and its reputation occurred in 12 hours, then it was gone. Code Spaces had touted its data backup processes to customers, but in the end, nothing worked as planned—and the company was out of business.
This Code Spaces case is a prime example of why companies must approach hybrid cloud security with a vengeance, using all the tools and techniques available. It’s not an impossible job. It just takes new approaches, clear thinking, proper preparations, and an open mind about doing things differently compared with previous data center protections.
Start by planning your hybrid cloud IT needs and strategy
First, determine exactly what you want to accomplish, says Leech. Without a proper vision for its use in improving business operations and customer and employee engagements, taking a road toward a hybrid cloud infrastructure is a dangerous game. “If you don’t have a use case, your cloud is going to fail,” says Leech. “You need a reason for doing it.”
Ultimately, for IT leaders, when it comes to placing parts of your operations into hybrid clouds, it’s about completely understanding your company’s data security risks and protections in all phases of the process, says Leech.
“You need to think carefully about your cloud structure because if you don’t, someone else will,” says Leech. “You can outsource the cloud service, but you can never outsource the risk.”
You can have hybrid clouds with as much security and as little risk as possible, but it takes planning, says Leech. Among the key issues to consider are threat awareness, choosing the correct cloud platform, and conducting due diligence in choosing partners and cloud service providers. It is also critical to ensure that your hybrid cloud processes meet regulatory compliance requirements. That means implementing and maintaining data encryption processes that protect confidential and personally identifiable information without impacting business applications and processes.
Security’s no afterthought
The topic of data security must be brought up early in the hybrid cloud planning discussions, to ensure risks are identified as soon as possible. That means inviting the security team to the initial meetings. “This needs to be at a high level so the CSO or CSIO provide the support that’s needed. It’s really just making sure the right people are at the table,” says Leech.
“The security team is going to have a better handle on what the threats will be and how to avert those threats,” says Leech. That also means bringing in your application developers and your data people, he adds.
“In the past, it’s very often been thought of as an afterthought,” he says. “Everyone else was in the room except for the security people. I’ve seen so many projects where they put together a plan and a week before deployment they say, ‘Let’s give security a look.’ Those people then have a list of security checks that delay the launch. So the next time, no one asks the security team because they don’t want delays.”
But it doesn’t have to be that way, explains Leech: “By getting security involved right away, it may take you more time. But the trade-off is you get higher quality code that prevents many problems in the first place.”
Your mandate: Always be thinking about cloud security risks
Cloud computing adds more data risks because many popular cloud services, such as Dropbox and AWS, are easily accessible to business workers. If internal business tools are too difficult to use or they don’t meet employees’ needs, users will do their work using external cloud tools, essentially creating shadow IT systems inside their companies—which don’t meet business compliance and security standards.
“Employees are already doing this, but IT may not know about it,” says Leech. Using a cloud server setup on AWS can be faster and easier than having the IT department set up one, which encourages the non-IT employees to bypass corporate hoops.
Don’t imagine your company is immune. For instance, a large consumer goods company used diagnostic tools in the process of evaluating its own cloud strategy. It found 1,400 instances of people using cloud offerings through its network without company approval, says Leech.
The concerns about these unauthorized users are real: They can endanger their company data and operations.
“These are the kinds of risks that the IT executive has to think about with the cloud,” says Leech. Doing so requires new design thinking, including process improvements to encourage developers to build better security into their applications, and itemizing data protection and data encryption needs in hybrid cloud infrastructures.
Risky business: Lessons for leaders
- Identify what can be hosted in the cloud—and what should not.
- Beware of shadow IT, where employees go around corporate policies (and thus proper security procedures) and host unsanctioned applications and data in the cloud.
- Security professionals should be at the table from the beginning of the conversation about cloud migration.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.