3 must-haves for hybrid cloud security
When considering hybrid cloud solutions, security concerns increase the urgency to do it right, not just quickly
Companies across industries are rushing to move applications and workloads to hybrid cloud platforms, but many customers still don’t fully understand the security responsibilities they face as they commingle public cloud, private cloud, and on-premise environments.
A common mistake is to assume that because your company is working with a major cloud infrastructure provider, your data will be secured by default. The reality is that companies must adopt a “shared responsibility” security model with their cloud service providers.
This approach is increasingly important as cloud deployments become more common – and more complex. Companies are moving more sensitive data to the cloud, making it imperative to keep cloud providers in sync with their own data-management policies.
About one-third of finance, operations, sales, and customer service functions are now in the cloud, according to a PwC survey of 10,000 C-level executives. Half of all IT services will be delivered via cloud service providers in 2018, according to the latest Global State of Information Security Survey from PwC, CSO and CIO.
Hybrid cloud deployments require a holistic security approach, where managers assess how data is stored and shared and how it moves across different environments. It almost goes without saying: If you’re going to put PII (personally identifiable information) in the cloud, you need solid security.
The global regulatory environment demands this, with new laws such as the European Union’s General Data Protection Regulation (GDPR), which will be enforced beginning in May, adding greater urgency to the protection of PII.
The reality is that companies must adopt a “shared responsibility” security model with their cloud service providers.Share this quote
Given the challenges, here are three basic best practices that will help you enhance the security of your hybrid cloud environment:
1. Double-check configurations
Recognize that the some of the biggest security risks are usually around configuration management.
The basic question to ask is: Will server X be open to the Internet? That sounds simple enough, but confirming configurations across all hybrid cloud deployments can reveal servers directly exposed and perhaps in need of intrusion detection. Also ask: Are the servers configurable and up to date for patching?
2. Lock down access
It is crucial to keep on top of who has proper access credentials.
Consider this: Security firm RedLock reported in February that hackers found poorly secured access credentials and breached a Tesla cloud to run cryptocurrency-mining software. The hackers infiltrated Tesla’s Kubernetes console – which wasn’t password protected – and then found access credentials to Tesla’s AWS cloud containing an S3 storage bucket.
To avoid a similar problem, RedLock advised that companies employ configuration monitoring. In a shared-responsibility model, this work can be done by the cloud vendor or the customer, but each party needs to check the other. If your company allows DevOps teams to deploy apps to production without security oversight, then make sure you have tools in place to automatically discover new resources (and apps) as soon as they are created.
3. Demand visibility across platforms
Make sure you know what data, apps, and workloads are in the public cloud, private clouds, and on premises, along with who has access to what. That’s the only way you can make policies that are consistent for any process.
A good way to gain hybrid cloud visibility is with a cloud access security broker (CASB).
Gartner predicts 60% of large companies will use CASB services by 2020. CASBs offer improved visibility into cloud usage and the people who access the data. They can offer data security through policies and sometimes encryption key management. Some also offer threat protection and compliance tracking services.
Find out how AT&T managed security services helps to protect your hybrid cloud strategy.
Matt Hamblen is a multi-media journalist covering mobile, networking and smart city tech. He previously was a senior editor at Computerworld. All opinions are his own. AT&T has sponsored this blog post.