I recently walked you through a check-list, on what CIOs need to know about hybrid cloud—the IT sweet spot that marries in-house and cloud-based infrastructure—and what it could mean to their organizations. With all its versatility and promise, there is no doubt that hybrid clouds are the future for many at the enterprise level. But, with all that versatility and promise comes a few concerns, namely how to maintain privacy and security while operating partly within a public domain that is, by it’s very nature, vulnerable to third-party interference. Well, the good news is that maintaining security on a hybrid cloud model is definitely possible, but because it’s also laden with moving parts and many variables, you’ll need to adopt a new way of approaching information security—and we’re not talking about your grandpa’s firewalls.
Well, okay, perimeter-based controls (like firewalls and log management) do still have a place—albeit a small one—when we’re talking about cloud security tools. Just because the hybrid cloud is something new doesn’t mean all your traditional security measures are now obsolete. It’s just that now, instead of standing alone, traditional security measures become pieces in the hybrid cloud security puzzle. And while it can feel confusing, due to the many “right ways of doing things” when it comes to hybrid cloud and security, there is also, happily, some common ground. Let’s break it all down.
Before you Make a Move, Make a Prioritized Plan
Understand that there will be a learning curve as you navigate the duality of hybrid cloud security. So, if you’re just getting started, create a plan hinged on prioritization and held together by boundaries. (It’s important to note here that the best strategies involve starting with security tools native to the cloud and branching outward from there, but use your best judgment when deciding what route to take.) As you begin to move assets, work slowly and start with those that are lower-risk. Do you have some marketing collateral? Most things customer-facing aren’t going to contain anything proprietary, so consider starting there. Oh, and here’s a bonus: save money by not purchasing a new storage area network just to backup non-critical data! Just move it to the cloud instead of keeping it on-premise.
Note that you’ll need to work on data classification to efficiently pinpoint what can enter the cloud (and what you should keep to yourself). This data classification should be visible to all who interact with the information to avoid costly mistakes. In other words, everyone who has the capacity to move a piece of information from private to public should know its classification and understand the implications of improper handling. Thorough communication is key. Also, take a look at your applications—how complex are they and how sensitive is the data within each? Pick out the ones that are the most proprietary and evaluate their placement in your hybrid cloud model.
Separate Workloads to Narrow Down Hybrid Cloud Data Placement
Evaluating application placement—and with that, of course, data placement—within a hybrid cloud model is key to properly protecting your information and assets.
A lot of CIOs think of their company’s IT strategy in terms of separating workloads: The core of your business is what sets you apart and makes you profitable. Build and cultivate those core functions on-premise in the private half of your hybrid cloud model. The other workload, the enterprise workload, contains functional applications like messaging, customer relationship management, and supply chain management—those are the nuts and bolts that keep your company running, and where you can consider using a public cloud provider to round out the other side of your hybrid model.
Fortify Authentication Methods and Embrace Encryption
The login process for those who have secure cloud access should be supported and substantial. To accomplish this, make use of both multifactor authentication (MFA) and single sign-on methods (SSO). Two URLs are provided here: Administrators can log into a management portal, and general users have another portal with built-in permissions. Many SSO products automate application logins, and some even can specify MFA when better suited. The resulting combination is a system that encourages the setting of workforce security levels that match data accessibility. Plus, you don’t have to count on users to choose individual passwords (and worry about them being weak).
There are additional security fortification steps you can take beyond passwords and login screens. If you’re taking the hybrid cloud road and don’t currently encrypt file transfers and emails, you’ll definitely want to add it to your to-do list for confidential collateral exchanges or other communications. (Think correspondence or file sharing among governing agencies, for example.) For emails, zero-knowledge clients use a shared passphrase that decrypts messages. When it comes to file sharing, some services even offer encryption at all stages of transmission—from standstill to delivery.
Define Who Controls your Virtual Machines and Target Workloads with Virtual Containers
Virtual machines (VMs) are powerful computing tools, and maintaining proper permissions for them is imperative to the safety of your information. To make sure the appropriate people have permissions on and access to only appropriate functions on their VMs, consider using a product that focuses on granular access controls. Use these tools in the cloud or out of it; they’re versatile and necessary additions to your hybrid cloud security plan.
Virtual containers—portable packages containing complete file systems—are so powerful that some have even called for them to replace VMs altogether in cloud environments. Although I don’t think we’re quite there yet, there is a lot of merit to virtual containers as a tool for security in the hybrid cloud. With an additional nod to efficiency, a virtual container allows you to initiate a virtual process or series of processes automatically without having to load the whole VM, reducing both the third-party risk and margin for error.
Be Safe Out There Among the [Hybrid] Clouds.
Information drives us all—the information we have, the information we need, the information we’re seeking. Data is the blood pumping through the veins of the enterprise, and we all want to protect what’s proprietary within our organizations. It’s no wonder, then, that sending our information to the cloud is a big decision for companies and their IT teams. The good thing is that while it requires a leap of faith to get going, with the right measures in place and the use of a combination of public and private cloud where applicable, you can be confident that data and propriety information is safe and secure.
I hope that, after reading this, you feel better equipped to address hybrid cloud security at work. Tell me . . . if you’ve adopted a hybrid cloud model, how have you addressed privacy and security needs? If you’re on the fence, what are your concerns? I’d love to hear your thoughts.
Other Resources on this Topic:
Sun Tzu-as-a-Service: How to Protect the Hybrid Cloud
Three Dominant Trends that will Drive Cloud Security in the Coming Years
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.
Photo Credit: braunkarljr2002 via Compfight cc
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”
Comments
A hybrid cloud will open many new ways to attack your data. In fact, I would recommend taking a radical (for some) approach to the whole change; “zero trust”.
We still need peripheral security, firewalls etc. to keep unwanted visitors out, but, we must realize that there is no such thing as a “private network” with trusted users, devices, servers and safe zones.
The “zero trust” approach supports both legacy systems and your new hybrid cloud solution. You must focus on protecting the actual data at rest and in transit, always encrypted.
Authentication has to be smart and adapting to situations, where transactions out of the ordinary sounds alarms as well as adds more factors to a multi-factor requirement. For instance, if you log on from a new place or at a time that you usually don’t, you should automatically be required to authenticate with for instance a pin code on your phone or some biometrics.
This might be a large step for your organization, but since you are redesigning your infrastructure the step is smaller now than later. Better now than after that big breach!