Information security strategy for the hybrid and multi-cloud
Cloud computing is omnipresent, and most organizations are opting for a model that combines several types of cloud infrastructure: private and public cloud (known as hybrid cloud) or public clouds from several different vendors (known as multi-cloud).
Cloud security is complex and is made even more complex by combining different types of cloud systems. This article explains some of the challenges and key considerations for achieving security in hybrid or multi-cloud environments.
Multi-cloud versus hybrid cloud
Let’s touch on the differences between a multi-cloud strategy and a hybrid cloud strategy.
In a multi-cloud environment, enterprises use a variety of public cloud services from different providers. Many organizations discover they can use different clouds for different tasks to get the best results, cut costs and reduce dependence on each individual provider.
For example, sales and marketing departments have different needs from research and development departments, and these needs may be best met by different cloud solutions.
In a hybrid cloud environment, on the other hand, organizations combine public and private clouds for the same purpose. Integrating public and private cloud infrastructure provides several benefits, including:
- Storing sensitive data on-premises for security or compliance purposes, while enjoying the benefits of the public cloud for less sensitive data
- Leveraging existing investments in on-premises infrastructure, while having the flexibility to add capacity when necessary using the public cloud (cloud bursting)
- Moving workloads from a local data center to the public cloud or back to the data center, based on cost and operational considerations
Hybrid cloud and multi-cloud security challenges
Here are some of the key challenges facing teams who are responsible for securing hybrid cloud and multi-cloud environments.
Confidential data can be compromised in a variety of ways. When business-critical data is exfiltrated, corrupted or completely lost, it can be catastrophic to a business. In a hybrid cloud storage environment, even the most secure private data stored on-premises is at constant risk of being shared with public cloud resources.
Thus, companies using the hybrid cloud computing model need to be very careful when evaluating local security policies, security safeguards in the integration between public and private clouds and implementing consistent security measures for private and public cloud systems.
Even the best security measures cannot prevent human error. A recent study by Egress Research shows that 78% of security leaders believe their employees have accidentally put data at risk. From emails containing sensitive data sent to the wrong person to employees accessing data on unsecured devices, there are many opportunities for people to unknowingly put corporate systems at risk. This is why a main focus of cloud security should be on educating both users and administrators of cloud systems about security concerns.
Multiple storage systems
Storage is always complex — even more so in hybrid cloud and multi-cloud deployments, where several storage systems using different technologies and protocols need to work together. When there is interoperability between multiple storage systems, managing encryption and sharing private keys is just as important as managing the storage solution itself.
Lack of automation
Hybrid and multi-cloud security requires complex processes with many different steps, spanning multiple IT environments. Handling these processes manually is error-prone and a huge burden on IT and security staff. Automation can be a big help, ensuring processes run as expected across all the relevant systems, eliminating human error and saving time.
However, according to a FireMon survey, over 33% of respondents said they do not use automated processes to manage security. Only a third use a mix of manual and automated processes.
Other concerning statistics:
- 30% of respondents automate security using built-in tools provided by cloud vendors or their on-premise cloud systems. This is a major problem because these tools generally cannot be integrated or automated with other parts of the hybrid or multi-cloud
- 25% find it difficult to monitor networks across the hybrid or multi-cloud and lack centralized visibility
- 17% say they have too many security and IT tools to maintain
Overburdened, under-funded security teams
In most organizations, there is a shortage of security analysts and other cybersecurity experts. In the same FireMon survey, over 66% of organizations reported they have security teams with ten people or less, and 45% have security teams smaller than five, making it difficult to manage complex environments and effectively respond to threats.
Other important findings:
- 59% of security teams manage hybrid environments, with both on-premises network security and cloud security
- 78% report that cloud computing occupies less than a quarter of their security budget
- 44% say only 10% or less of their security budget is spent on cloud security
- 66% say the transition to DevOps practices had a negative impact on security
Developing a hybrid and multi-cloud security strategy: 8 key considerations
When developing your security strategy for a hybrid or multi-cloud environment, use these considerations:
- Standardize processes in the security operations center (SOC). Having different processes for public and private clouds, or for different public cloud environments, can lead to errors and security gaps. Ensure admins have the same security procedures in each environment. Create formal processes for managing movement of assets from on-premises to cloud environments, to prevent accidental data exposure.
- Adopt automated workflows: Transition towards a DevSecOps organization in which developers, security and operations teams work together to shift security left (earlier in the development cycle). DevSecOps teams can add automated security tests at every stage in the development process. They can also use infrastructure as code (IaC) to automate secure practices when creating and tearing down environments for development, testing and production.
- Focus on monitoring: It is no longer enough to rely on tools from a specific cloud provider or traditional monitoring tools used in the organization. New monitoring strategies must be aware of how and where applications are deployed and should provide a consistent picture of workloads, network traffic and threats across the entire environment. Managing multiple sets of monitoring data makes it much more difficult to identify attacks, and conduct forensic investigation after an attack happens.
- Build a unified Identity and Access Management (IAM) framework: This can help protect systems and data across private and public clouds. It is essential to extend IAM across all cloud systems — a few approaches to achieving this are unified directories and identity federations based on SAML. All cloud systems should have the same users and permissions, and the principle of least privilege should be enforced consistently.
- Prioritize encryption: In a hybrid cloud or multi-cloud model, data is constantly transferred between different data centers. Sensitive data may be stored on a private cloud, but it still needs to be available to public cloud resources — for example, in case of big data analysis. This makes it critical to encrypt data at rest and data in transit, ensuring that if vulnerable public cloud resources are breached, attackers cannot get their hands on the data.
- Establish a business continuity and disaster recovery plan: Ensure you know what to do in case of a disaster, such as disruption of public cloud services or failure in the local data center. It is not enough to backup data, there should also be image-based snapshots of VMs, which you can use to rebuild your infrastructure when necessary. You can leverage public cloud infrastructure to create disaster recovery sites that can be used on demand when disaster strikes.
- Use application hardening: Applications running in hybrid and multi-cloud environments should be hardened against threats and adopt a zero-trust security model. If an application has several components running on different cloud systems, each of them should be protected against known vulnerabilities and should not accept unsecured connections from any other component. This includes hardening and securing API endpoints.
- Don’t forget endpoint security: Just because systems are on the public cloud doesn’t mean endpoints don’t matter. A cloud VM is also an endpoint and is just as vulnerable, if not more, than an on-premises server. Modern endpoint protection solutions like eXtended Detection and Response (XDR) can consistently protect endpoints in the data center, cloud machines and API endpoints and provide unified visibility for security teams.
In this article, I reviewed the nature of a hybrid cloud and multi-cloud environment, covering some of the key risks facing these environments:
- Data leakage in the transition from private to public cloud
- Human error given infrastructure complexity
- Interoperability between storage systems
- Lack of sufficient automation
- Overburdened security teams
Finally, I provided eight points that can help organizations build a robust hybrid and multi-cloud security strategy, including standardized processes, automated workflows, unified monitoring and IAM, encryption, disaster recovery and a strong focus on application and endpoint security, both on and off the cloud.