• United States



Vice President and General Manager of the Intel Security Group Professional Services

3 Tips for Extending Security Policies across a Hybrid Cloud Environment

Jul 06, 20164 mins

Hybrid clouds enable companies to use the most appropriate cloud technology – public or private – for each application they support. As such, hybrid cloud presents an opportunity to dramatically improve the delivery of IT services while keeping costs under control.

To take full advantage of this opportunity, however, companies need to put proper security policies in place to ensure their data and other digital assets remain protected, regardless of where they live. Here are three core principles for developing sound security policies that accommodate hybrid cloud environments.

1. Contain shadow IT

Across your organization, groups outside of IT are very likely signing on for cloud services without IT’s knowledge. , just 8% of companies claimed to know the scope of these “shadow IT” activities at their organization. This trend is perhaps the biggest security threat that the cloud models present. If the service falls outside of the traditional IT identity and access management (IAM) system and policies, for example, company data may be at risk.

The early response to this trend was to lock down on unauthorized cloud purchase and mandate that no group other than IT can sign on for any cloud service. But the ease in which business users can procure and deploy new cloud services makes it difficult to enforce such a strict approach. While IT doesn’t want to be seen as the “no can do” department, it’s critical for IT to ensure that SaaS applications and other cloud services are properly secured. This requires IT to build strong bridges with various business departments, to get them on board with the idea that strong security is good for the company.

The most realistic policy is one that requires IT to vet all services before purchase. IT can aid this process by providing a list of sanctioned cloud services. Among other security benefits, this enables IT to incorporate SaaS applications into the enterprise IAM solution. IAM integration is crucial because it presents a single, centralized point of control over application and data access. It also benefits users of the application by letting them use familiar sign-on routines for new cloud applications. (For more on using IAM to prevent unauthorized access to cloud applications and data, see 5 Steps for Enhanced Security of Applications in the Cloud.)

2. Apply consistent monitoring and logging

Companies routinely monitor their own environments for suspicious activity and keep detailed logs of all events. The same sort of monitoring and control should extend to public cloud environments.

Consider the Intel IT group. We have a security business intelligence (SBI) platform that we use as the focal point for logging, monitoring, alerting, and responding to security violations. Cloud-based applications are no exception. We collect logs and alerts from our cloud providers and feed them into the SBI platform, where they are correlated and monitored for anomaly detection alongside data from all other applications. 

With this approach, we can detect when a user uploads or downloads an unusual amount of data, for example, or logs in from two different locations in a timeframe that would be unrealistic or impossible. Either instance would be an indication of suspicious activity that should result in an alert to the security team.

3. Secure all new virtual machines

The speed at which users can spin up new virtual machines is a major benefit of private or public cloud models. But that same benefit can make it difficult to ensure the growing number of VMs are properly protected.

It’s good policy, then, to use preconfigured templates for new VMs to help mitigate risks. These templates should take into account issues such as how data is protected as its moves to and from your data center and a cloud provider. Your templates should also address compliance issues around where, geographically, certain private data can legally be stored – an especially thorny issue for global companies that must adhere to the EU-U.S. Privacy Shield framework.

Automated workload-provisioning systems can help with the process, ensuring appropriate security policies are applied to each new VM by taking into account the type of data it will be handling.

Don’t let security be a stumbling block to your organization’s desire to capture the benefits of hybrid cloud technology. And don’t be afraid to push your cloud providers to give you the security policies you need to protect yourself.

To learn more about how Intel IT addresses security for SaaS environments, download our free white paper, “SaaS Security Best Practices: Minimizing Risk in the Cloud.”


Vice President and General Manager of the Intel Security Group Professional Services

Patty Hatter is vice president and general manager of the Intel Security Group Professional Services organization at Intel Corporation. She recently transitioned from the role of Intel Security CIO, and prior to that was the vice president of Operations and CIO at McAfee. She has overall responsibility for leading the professional services organization and expanding Intel Security’s consulting, managed services, deployment and training services. Patty has more than 25 years of experience leading operations and technology organizations at several Fortune 500 companies. She joined the Intel organization in 2011 with the acquisition of McAfee Inc., now a wholly owned subsidiary that operates as the Intel Security Group. As vice president of operations and CIO at McAfee, Patty orchestrated a global transformation of IT and operations, turning the team into an asset that supported the broader enterprise-wide cost savings and revenue growth initiatives across McAfee. Before joining McAfee in 2010, Patty was vice president of business operations at Cisco Systems Inc. She was responsible for improving integration between Cisco’s processes and systems, with the company’s sales channels. Earlier in her six-year tenure at Cisco, Patty led a transformation of the company’s global processes and systems infrastructure that contributed to growth, scalability and revenue. She started her career at AT&T Inc., where she spent 15 years holding various leadership roles in strategic planning, business development and professional services within the United States and Europe. Patty earned bachelor’s and master’s degrees in mechanical engineering from Carnegie Mellon University. She currently holds multiple advisory board positions, and is also a board member for the Silicon Valley Education Foundation.

More from this author