• United States



Vice President, Intel Security Group Chief Technical Strategist

6 Tips for Increasing the Portability of Your Hybrid Cloud Security Strategy

May 24, 20164 mins

The prices and services that cloud infrastructure providers offer change so often that you may be doing yourself a disservice by tying your hybrid cloud to one particular vendor. We’re even starting to see services emerge that shift workloads transparently between cloud providers to give customers the best deal.

Security should be a high priority in any scenario, however, and strategies for hybrid cloud environments must take into account the potential for frequent movement of data between public clouds as well as between public and private clouds. Here are six factors to consider to ensure that your security strategy is portable across all services and service providers.

1. Sweat the SLAs

Specify to any prospective cloud provider what levels of security you need for the assets you’re moving into a public cloud and any restrictions you require regarding how data is stored, backed up, and encrypted. Among the factors to include in a service level agreement (SLA) are data privacy, data flow, data storage, the physical location of data, and the type of encryption used. Cloud providers generally have their own tools and standards in each of these areas, so focus on the desired outcomes rather than technologies.

In regulated industries, specify which compliance standards must be observed and what reporting is required. Be sure your cloud provider is aware of compliance deadlines. For example, some regulations require records to be made available with as little as 24 hours’ notice.

The more provable or measurable your SLA is, the less chance you will have to re-craft it when moving to a cloud provider with different procedures or tools.

2. Practice good data governance

Prior to engaging a cloud provider, classify your data according to what must be kept within the private cloud and what can be safely moved to the public cloud so that your most critical data is under your control.

If budget permits, enable replication of data from the cloud data store to your site or a trusted third-party so that there is minimal risk of data loss. 

3. Secure communications

Many cloud services use the public Internet by default to transmit data. This practice is inherently insecure. Use a virtual private network (VPN) to maintain a secure and controlled “tunnel” between your private cloud and the public infrastructure provider.

Be aware that additional costs and limitations may be involved. For example, it’s important to understand if a cloud provider supports a limited number of gateway devices or a specific encryption-in-transit methodology. Use devices and protocols that are supported across all platforms you may want to use.

4. Use strong authentication

Simple password protection is insufficient for working with sensitive data. There are many superior alternatives, such as biometric authentication, one-time password (OTP) tokens and two-factor authentication. Be sure any prospective cloud provider supports your preferred method.

Another alternative is to use your internal authentication system, such as Microsoft Active Directory or LDAP, to log in to cloud services. Directory-based authentication makes it easy to switch between cloud services without resetting passwords or changing procedures, and also provides audit trails for additional control.

5. Use APIs

Cloud computing has created an explosion of application program interfaces (APIs), which enable applications to exchange functionality and data in a secure and manageable fashion. (For example, APIs are what enable your smartphone to access the current temperature without opening the full site.) Using APIs, administrators can specify what data is available to whom at what times and under what conditions.

Because APIs provide a standardized data exchange mechanism, they can be ported easily between cloud platforms. And by using APIs instead of exposing program code, your applications are not only more portable, but also more secure.

It’s important, therefore, to specify which APIs you need your cloud provider to support before signing a contract.

6. Hold onto the keys

Sensitive data should be encrypted at all times, both while at rest and in motion between your data center and the cloud. This is true even if you use a VPN. Be sure your cloud provider supports your encryption protocol of choice. And in all cases, make sure the keys are kept in your possession, not in the hands of the service provider.

Cloud computing provides a wide variety of options for the types of cloud services as well as the providers that sell them. Make sure security doesn’t hold you back from choosing the best one for your needs.

Vice President, Intel Security Group Chief Technical Strategist

Scott A. Montgomery is vice president and chief technical strategist for the Intel Security Group at Intel Corporation. He manages the worldwide team of chief technology officers who lead the group’s various business units and is responsible for advancing technical innovation in Intel’s security solutions. Montgomery has dedicated his career to information security and privacy software development, gaining a breadth of expertise that spans endpoint protection, firewalls, intrusion prevention, encryption, vulnerability scanners, network visibility tools, mail and Web gateways, authentication, and embedded systems. He joined the Intel organization in 2011 with the acquisition of McAfee Inc., now a wholly owned subsidiary that operates as the Intel Security Group. Before assuming his current position in 2015, Montgomery was chief technology officer for McAfee’s public sector and Americas business units. He oversaw worldwide government certification efforts and worked with industry leaders, government leaders and public sector customers to help ensure that technologies, standards and implementations addressed data security and privacy challenges. His efforts helped drive government and cybersecurity requirements into McAfee products and services and guided the company’s policy strategy for the public sector, critical infrastructure and threat intelligence. Earlier in his career, Montgomery spent six years at Secure Computing Corporation (acquired by McAfee in 2008), where he was responsible for worldwide product management and corporate strategy. He attended Syracuse University.

More from this author