3 Must-Haves for Hybrid Cloud Security

Companies across industries are rushing to move applications and workloads to hybrid cloud platforms, but many customers still don’t fully understand the security responsibilities they face as they commingle public cloud, private cloud, and on-premise environments.

A common mistake is assuming that just because your company is working with AWS, Azure, or another cloud provider, it doesn’t mean those providers will secure your data by default. Instead, customers must move to a “shared responsibility” security model with their cloud service providers.

This approach is increasingly important as cloud deployments become more common – and more complex. Companies are moving more sensitive data to the cloud, making it imperative to keep cloud providers in sync with their own data-management policies.  About one-third of finance, operations, sales, and customer service functions are now in the cloud, according to a PwC survey of 10,000 C-level executives.  Half of all IT services will be delivered via cloud service providers in 2018, according to the latest Global State of Information Security Survey from PwC, CSO and CIO.

Hybrid cloud deployments require a holistic security approach, where managers assess how data is stored and shared and how it moves across different environments. It almost goes without saying: If you’re going to put PII (personally identifiable information) in the cloud, you need solid security. The global regulatory environment demands this, with new laws such as the European Union’s General Data Protection Regulation (GDPR), which will be enforced beginning in May, adding greater urgency to the protection of PII.

Given the risks, here are three basic best practices for securing your hybrid cloud environment:

Double-check configurations. Recognize that the biggest security risks are usually around configuration management.  The basic question to ask is: Will server X be open to the Internet? That sounds simple enough, but confirming configurations across all hybrid cloud deployments can reveal servers directly exposed and perhaps in need of intrusion detection. Also ask: Are the servers configurable and up to date for patching?

Lock down access. It is crucial to keep on top of who has proper access credentials. Consider this: Security firm RedLock reported in February that hackers found poorly secured access credentials and breached a Tesla cloud to run cryptocurrency-mining software. The hackers infiltrated Tesla’s Kubernetes console – which wasn’t password protected – and then found access credentials to Tesla’s AWS cloud containing an S3 storage bucket.

To avoid a similar problem, RedLock advised that companies employ configuration monitoring. In a shared-responsibility model, this work can be done by the cloud vendor or the customer, but each party needs to check the other. If your company allows DevOps teams to deploy apps to production without security oversight, then make sure you have tools in place to automatically discover new resources (and apps) as soon as they are created.

Demand visibility across platforms. Make sure you know what data, apps, and workloads are in the public cloud, private clouds, and on premises, along with who has access to what. That’s the only way you can make policies that are consistent for any process.

A good way to gain hybrid cloud visibility is with a cloud access security broker (CASB). Gartner predicts 60% of large companies will use CASB services by 2020. CASBs offer visibility into cloud usage and the people who access the data. They offer data security through policies and sometimes encryption key management.  Some also offer threat protection and compliance tracking services.

Online resources are readily available for the shared responsibility model at AWS and Azure.

Find out how AT&T managed security services helps to protect your hybrid cloud strategy.

Matt Hamblen is a multi-media journalist covering mobile, networking and smart city tech. He previously was a senior editor at Computerworld.