Certainly, the hybrid cloud infrastructure has a lot of promise and offers plenty of benefits. With a hybrid cloud, business-critical data and applications are typically hosted in private clouds. Less-critical business data is hosted in public clouds, where many companies’ data can be safely and securely stored. Public clouds cut infrastructure costs, while private clouds allow companies to maintain their grip on their most important data and application assets. It’s a good balance.
In the past, firewalls and security hardware were standard components for IT system security in corporate data centers. But data center tools don’t completely fill the requirements of hybrid clouds. You need unique security tools and methods to keep pace with the cloud’s portability and support for moving data anywhere, anytime.
“Normally you think of security as being in house,” says Simon Leech, chief technologist for Hewlett Packard Enterprise’s digital solutions and transformation team. “But when you move some operations to the cloud, you need a larger view of security.”
I’ve seen so many projects where they put together a plan and a week before deployment they say, ‘Let’s give security a look.’ Those people then have a list of security checks that delay the launch. So the next time, no one asks the security team because they don’t want delays.
SIMON LEECH - CHIEF TECHNOLOGIST FOR HPE’S DIGITAL SOLUTIONS AND TRANSFORMATION TEAM
Let’s begin with an outline of the general concepts that relate particularly to hybrid cloud security, including the specific security measures required by private and public clouds and the overarching importance of maintaining responsibility for your company’s data, even when someone else is hosting your cloud.
What to avoid: a real-life cloud security nightmare
Those needs are real, but so are the risks and worries that give IT leaders heartburn.
How serious are the risks of data breaches and attacks in the cloud?
You could ask the IT leaders who ran Code Spaces, an online code hosting service that was permanently shuttered in June 2014 after a massive distributed denial-of-service attack on its cloud account, which was hosted by Amazon Web Services (AWS). The damage to the Code Spaces cloud occurred after an attacker invaded and accessed the company’s AWS account and then deleted most of the coding projects that were being hosted for customers, as well as all of the virtual machines that held the data.
The damage to the company and its reputation occurred in 12 hours, then it was gone. Code Spaces had touted its data backup processes to customers, but in the end, nothing worked as planned—and the company was out of business.
This Code Spaces case is a prime example of why companies must approach hybrid cloud security with a vengeance, using all the tools and techniques available. It’s not an impossible job. It just takes new approaches, clear thinking, proper preparations, and an open mind about doing things differently compared with previous data center protections.
Start by planning your hybrid cloud IT needs and strategy
Ultimately, for IT leaders, when it comes to placing parts of your operations into hybrid clouds, it’s about completely understanding your company’s data security risks and protections in all phases of the process, says Leech.
“You need to think carefully about your cloud structure because if you don’t, someone else will,” says Leech. “You can outsource the cloud service, but you can never outsource the risk.”
You can have hybrid clouds with as much security and as little risk as possible, but it takes planning, says Leech. Among the key issues to consider are threat awareness, choosing the correct cloud platform, and conducting due diligence in choosing partners and cloud service providers. It is also critical to ensure that your hybrid cloud processes meet regulatory compliance requirements. That means implementing and maintaining data encryption processes that protect confidential and personally identifiable information without impacting business applications and processes.
Security’s no afterthought
“The security team is going to have a better handle on what the threats will be and how to avert those threats,” says Leech. That also means bringing in your application developers and your data people, he adds.
“In the past, it’s very often been thought of as an afterthought,” he says. “Everyone else was in the room except for the security people. I’ve seen so many projects where they put together a plan and a week before deployment they say, ‘Let’s give security a look.’ Those people then have a list of security checks that delay the launch. So the next time, no one asks the security team because they don’t want delays.”
But it doesn’t have to be that way, explains Leech: “By getting security involved right away, it may take you more time. But the trade-off is you get higher quality code that prevents many problems in the first place.”
Your mandate: Always be thinking about cloud security risks
“Employees are already doing this, but IT may not know about it,” says Leech. Using a cloud server setup on AWS can be faster and easier than having the IT department set up one, which encourages the non-IT employees to bypass corporate hoops.
Don’t imagine your company is immune. For instance, a large consumer goods company used diagnostic tools in the process of evaluating its own cloud strategy. It found 1,400 instances of people using cloud offerings through its network without company approval, says Leech.
The concerns about these unauthorized users are real: They can endanger their company data and operations.
“These are the kinds of risks that the IT executive has to think about with the cloud,” says Leech. Doing so requires new design thinking, including process improvements to encourage developers to build better security into their applications, and itemizing data protection and data encryption needs in hybrid cloud infrastructures.
Risky business: Lessons for leaders
- Identify what can be hosted in the cloud—and what should not.
- Beware of shadow IT, where employees go around corporate policies (and thus proper security procedures) and host unsanctioned applications and data in the cloud.
- Security professionals should be at the table from the beginning of the conversation about cloud migration.