Whatever the specific configuration of your cloud, be it public, private, or a mix of both, there are security risks that aren't immediately apparent, ranging from the technical to organizational to issues of governance. Here are five things you need to know about integrating security across your multiple cloud deployments for optimal security.
1) Know where your data is
Keeping your eye on where your data is located can be more difficult than you think, especially because of shadow IT. The cloud makes it easy for individual departments to have their own cloud-based applications and data storage. But you can’t protect what you don’t know exists—and even if you do know it exists, there are still unique issues to solve for. If you think there is no shadow IT in your organization, think again: In a Frost and Sullivan study, more than 80% of respondents admit to using non-approved SaaS applications in their enterprises.
Here’s the issue: shadow IT makes it possible for data to be stored and processed in the cloud without proper security controls. And when users and departments store and share sensitive data in the cloud or run applications in the cloud without IT’s knowledge, the enterprise can be exposed in many ways.
The answer: make sure you have a single system to track and secure your data. Consider requiring that IT perform security and compliance reviews for any SaaS contracts and services. IT may also want to launch a campaign to educate department managers about the governance and security issues that go along with SaaS applications and the cloud.
2) Secure your east-west traffic
Enterprises are moving to virtualized data centers, including private and public clouds, and beyond that to software-defined data centers. This has created a new pattern of east-west traffic from server to server or workload to workload. North-south traffic (between client and server) has also changed, because servers no longer sit on a dedicated appliance in a data center but are virtualized, generally in some kind of cloud configuration. In addition, the number and variety of clients has grown to encompass tablets, mobile devices, wearables, and IoT sensors.
This creates a new set of security challenges, particularly for east-west traffic. Firewalls placed at the edge of a data center or its virtual clone can compromise the security of east-west traffic, because east-west traffic depends on static routes and known entities—or else requires that IT manually configure and direct the east-west traffic to the security appliance.
One way to solve this is with software-defined security, which virtualizes an enterprise’s security infrastructure. In this approach, a controller automatically provisions security wherever and whenever it’s needed. The system can connect to multiple data centers of different types, and works with many security solutions—meaning it works with multiple types of cloud configurations. Intrusion protection systems for virtual environments are key tools as well, and work in concert with software-defined security.
3) Protection from malware
Many enterprises move to the cloud after having virtualized servers and applications in their data center, and may not be used to the unique security issues posed by a cloud configuration. Here’s an example. As some enterprises move to a private cloud, they run traditional anti-virus products in virtualized machines to fight malware. But in doing so they bring those virtualized machines to their knees, dramatically slowing performance. (For more details, see this interview about hybrid cloud security with Intel Security’s Loretta Nierat.)
To avoid those kinds of problems, look for security and data solutions specifically designed for the hybrid cloud. For anti-malware protection, that means special techniques such as avoiding scanning in virtual machines, and instead using a scan appliance. Or using scan-avoidance, which tracks which files have already been scanned, and prevents re-scanning if they haven’t changed.
4) The difficulties with compliance
Compliance in the hybrid cloud is particularly thorny: in a word, your compliance policies for your private cloud and public cloud provider have to match. Even the way they communicate must be compliant. The issue is significant enough that 38% of companies in a survey by the Cloud Security Alliance said that a major barrier to cloud adoption is their concern about regulatory compliance.
As a starting point, centralize all governance related to cloud deployments in IT where they can ensure consistent compliance policies across both public and private clouds. Individual departments and shadow IT simply can’t handle it.
Raise any industry-specific compliance issues such as HIPAA with public cloud providers before any contracts are signed. Any prospective cloud providers should detail exactly how they handle those and other compliance issues—and that they match an enterprise’s rules and approach.
Finally, delve into the ways your public and private clouds communicate, and ensure they meet privacy, security, and other governance regulations.
5) Take care with your SLA
Crafting SLAs for the hybrid cloud can be extremely complex. You’ll need to make sure that your public-cloud SLAs spells out specific data protection and security features and guarantees. But that’s just a first step. You’ll also need to ensure that your private-cloud SLA matches the public one, and that both are in line with your business needs.
Start by tracking your private cloud's availability and performance, and then evaluate what kind of security issues might arise when integrating with the public cloud. If you are required to keep confidential data on-premises in your private cloud, for example, make sure your SLA details that you won’t be using that data in the public cloud.
Closely review all the terms and conditions—don’t breeze by the legalese and fine print. This is particularly important because there are few standards and benchmarks for SLAs in the cloud, according to a study from Nova Southeastern University.
Pay attention to security clauses, such as who has access to your data, whether the provider outsources data storage, how data is deleted, and whether certifications and third-party audits will be performed. Also important: how is privacy handled, such as what data will be collected about your organization, and what steps will be taken to keep it private. Find out how the data will be used, and how long it will be retained. And look for operational details such as backup frequency, recovery time from failure, and the provider’s database and storage architecture redundancy model.
If you follow all these five steps, you’ll be well on your way to making sure that your hybrid cloud is secure as possible.