Enterprises are wasting little time in their transition to cloud computing. A recent study commissioned by Intel Security found that found that 80% of IT budgets will be allocated to cloud computing over the next 16 months. Hybrid deployments account for nearly one-fifth of enterprise cloud environments, a number that’s very likely to rise as organizations speed deploy a broad and deep mix of cloud services.
“Enterprises get the best of both worlds with hybrid cloud services offering the flexibility of private and public cloud services,” said Scott Schober (@ScottBVS), President & CEO of Berkeley Varitronics Systems.
But this rapid transition presents new types of security risks.
“From automatic updates to zero-day threats, hybrid environment security vulnerabilities are inevitable,” said Robert Siciliano (@RobertSiciliano), CEO of IDTheftSecurity.com. “There will always be gaps in security due to the complexity of these systems, regardless of ongoing assessments.”
We asked Schober, Siciliano, and other IT security experts for tips to help security teams stay on top of the rapidly evolving threat landscape as organizations embrace the cloud. Here’s what they had to say.
1. Integrate up and down the stack – and across deployments
The Intel Security study found that the average organization uses 43 different cloud services. But just 35% use an integrated solution for managing security across all of those services.
“Security risks arising from hybrid cloud systems are fairly common in organizations [that] typically develop private cloud systems initially and then expand by moving components into the public cloud,” said David Waterson (@DavidLWaterson), founder and CEO of data security company SentryBay.
No wonder, then, that security considerations for hybrid cloud environments need to center around integration.
“Organizations need to ensure that security between public cloud and private cloud is compatible,” said Waterson. “Hybrid systems introduce complexity into compliance issues – the minimum standards met between the public and private clouds should satisfy compliance requirements.”
Integration requires visibility across the entire environment – public, private, and on-premise – along with the proper tools and policies that ensure consistent levels of protection.
“In order to keep hybrid cloud environments truly safe, it is essential that IT use encryption that works seamlessly across both private and third-party platforms,” said Schober. “Since the exchange of data between public and private servers is critical, things like encryption become paramount in order to secure that data.”
You’ll also need consistent policies and tools up and down your technology stack, working with cloud service providers to deploy the latest techniques in critical areas such as user identity and access management.
“One way of increasing security is implementing multi-factor authentication access technologies,” such as two factor-password and text message with a number or biometric identifier, said cybersecurity and legal consultant Bradley Shear (@bradleyshear). “Threats are constantly evolving so vigilance is key and the ability to quickly respond to these emerging issues is paramount.”
Sanjay Katkar (@sanjaykatkar), CTO of Quick Heal, recommends focusing on application security. “IT security staffers should make sure the applications that are being deployed have gone through penetration testing and [have the proper] encryption, authentication and authorization,” said Katkar. “This is very important when preparing for handling targeted attacks, especially if your applications [are handling] sensitive data.”
Cameron Brown (@AnalyticalCyber), a cyber defense adviser, also cited the importance of penetration and vulnerability testing, with a focus on testing both internal and external elements of the cloud infrastructure.
“In this way, dependencies can be evaluated over time, with discrete security controls measured for effectiveness and adapted elastically to cope with evolving risks,” said Brown.
Integration does not represent a new approach to security – it’s more an extension of existing best practices across a hybrid environment.
“The same issues apply to hybrid, pure play cloud, and on-premise systems: Protect and survive,” said technology consultant Stephen O’Donnell (@stephenodonnell).
2. Protect in real-time – and never stop learning
Keeping on top of the risks and rapid changes in cloud technology requires “an agile, real-time approach to security, incorporating it into the very fabric of the change management process as a critical core component,” said Will Lassalle (@wlassalle), CIO of JLS Technology USA. “This mindset will enable a continuously secure and compliant environment. Gone are the days of just becoming compliant right before an audit or being reactive to incidents.”
Because cloud technologies – and related security practices – are evolving so quickly, security professionals need to rely on a variety of third-party resources to stay abreast of the constantly shifting threat landscape.
For example, the Computer Emergency Readiness Team Coordination Center maintains a database of vulnerabilities associated with the most common IT products, said cybersecurity professional Brett Miller (@DrBrettAMiller). In addition, Miller said, most vendors provide information relating to the vulnerabilities associated with their specific products. He also suggests subscribing to any number of blogs and webinars that cover security topics.
Chuck Brooks (@ChuckDBrooks), a corporate executive, public speaker, and author, advocates a similar broad-based learning approach. “In a cybersecurity threat state of flux, information gathering is vital for any IT security team from a variety of sources,” said Brooks. He recommends subscribing to US/CERT alerts and participating in organizations such as CompTIA and SANS, which offer updates and training.
“Finally, do not underestimate the utility of social media for discovering the latest on threats and analysis,” Brooks added. “Many of the top people in the industry post on LinkedIn, Twitter, and hundreds of specialized social media groups.”
IT consultant Duane Baker (@DBaker007) suggested that security teams are offered “continuous access to professional development and opportunities to share experiences and techniques with their peers.”
Miller recommends that cyber professionals attend at least three weeks’ worth of training annually.
“This can be hard for some organizations to swallow,” he said, “but if an organization wants to protect its own along with customer and partner data, then the training of security professionals needs to be made a priority.”
3. Be a team player
As mentioned earlier, ensuring end-to-end security requires visibility across public, private, and on-premise systems. Such visibility requires communication and collaboration with both internal and external stakeholders.
“Good security is a team event,” said Baker.
“If you have any hope of staying ahead of the threats that are going to be presented through the journey of hybrid cloud adoption, you must learn that IT security staff cannot do it alone,” said Corey Elinburg (@celinburg), chief cloud security architect with United Health Group. “They are amazingly capable but finite creatures in an almost infinite world of new technology.”
For starters, security teams need to be in sync with their colleagues in IT to ensure that security is a ground-up consideration for any new cloud initiatives.
“Free-flowing communications with all IT departments in regards to security protocols, updates and emerging trends allows for the customer to stay on top of what might be a new risk and ahead of what is the next threat,” said Siciliano, the IDTheftSecurity.com CEO.
Many organizations are concerned that overly restrictive security practices will stifle innovation. That’s why security teams “must become unified in purpose and in practice” with IT innovation teams, said Elinburg. His advice to security leaders: “Don't resist that, embrace it. Become the innovation leader so you can set the terms of adoption, not struggle to manage the terms that were set for you.”
IT security and software engineering departments are not as tight knit as they need to be, according to Ralph Rodriguez (@ralphopinions), founder and research fellow with Blue Hill Research. He suggests having a sponsor or advocate from each side attend the opposite’s meetings related to data security in the cloud.
“The IT [security] sponsor needs to understand what software services are being deployed in this cloud and how the dev team is protecting this data,” said Rodriguez. “The dev sponsor needs to understand the tools and systems being used to monitor threats. This cross-pollination is a key step in protecting your ever-growing cloud.”
Security teams also need clear communication with cloud service providers, assuring that the right service-level agreements are in place and that the lines of shared responsibility for assets, applications and infrastructure in the cloud are clearly articulated.
“Collaboration between the provider and the customer is essential,” said Siciliano.
What would you add to this list? Add your comments below.