Hybrid clouds enable companies to use the most appropriate cloud technology – public or private – for each application they support. As such, hybrid cloud presents an opportunity to dramatically improve the delivery of IT services while keeping costs under control.
To take full advantage of this opportunity, however, companies need to put proper security policies in place to ensure their data and other digital assets remain protected, regardless of where they live. Here are three core principles for developing sound security policies that accommodate hybrid cloud environments.
1. Contain shadow IT
Across your organization, groups outside of IT are very likely signing on for cloud services without IT’s knowledge. In one recent study, just 8% of companies claimed to know the scope of these “shadow IT” activities at their organization. This trend is perhaps the biggest security threat that the cloud models present. If the service falls outside of the traditional IT identity and access management (IAM) system and policies, for example, company data may be at risk.
The early response to this trend was to lock down on unauthorized cloud purchase and mandate that no group other than IT can sign on for any cloud service. But the ease in which business users can procure and deploy new cloud services makes it difficult to enforce such a strict approach. While IT doesn’t want to be seen as the “no can do” department, it’s critical for IT to ensure that SaaS applications and other cloud services are properly secured. This requires IT to build strong bridges with various business departments, to get them on board with the idea that strong security is good for the company.
The most realistic policy is one that requires IT to vet all services before purchase. IT can aid this process by providing a list of sanctioned cloud services. Among other security benefits, this enables IT to incorporate SaaS applications into the enterprise IAM solution. IAM integration is crucial because it presents a single, centralized point of control over application and data access. It also benefits users of the application by letting them use familiar sign-on routines for new cloud applications. (For more on using IAM to prevent unauthorized access to cloud applications and data, see 5 Steps for Enhanced Security of Applications in the Cloud.)
2. Apply consistent monitoring and logging
Companies routinely monitor their own environments for suspicious activity and keep detailed logs of all events. The same sort of monitoring and control should extend to public cloud environments.
Consider the Intel IT group. We have a security business intelligence (SBI) platform that we use as the focal point for logging, monitoring, alerting, and responding to security violations. Cloud-based applications are no exception. We collect logs and alerts from our cloud providers and feed them into the SBI platform, where they are correlated and monitored for anomaly detection alongside data from all other applications.
With this approach, we can detect when a user uploads or downloads an unusual amount of data, for example, or logs in from two different locations in a timeframe that would be unrealistic or impossible. Either instance would be an indication of suspicious activity that should result in an alert to the security team.
3. Secure all new virtual machines
The speed at which users can spin up new virtual machines is a major benefit of private or public cloud models. But that same benefit can make it difficult to ensure the growing number of VMs are properly protected.
It’s good policy, then, to use preconfigured templates for new VMs to help mitigate risks. These templates should take into account issues such as how data is protected as its moves to and from your data center and a cloud provider. Your templates should also address compliance issues around where, geographically, certain private data can legally be stored – an especially thorny issue for global companies that must adhere to the EU-U.S. Privacy Shield framework.
Automated workload-provisioning systems can help with the process, ensuring appropriate security policies are applied to each new VM by taking into account the type of data it will be handling.
Don’t let security be a stumbling block to your organization’s desire to capture the benefits of hybrid cloud technology. And don’t be afraid to push your cloud providers to give you the security policies you need to protect yourself.
To learn more about how Intel IT addresses security for SaaS environments, download our free white paper, “SaaS Security Best Practices: Minimizing Risk in the Cloud.”