Overcoming Security Challenges in the Hybrid Cloud
Businesses are embracing the flexibility and scalability of hybrid cloud computing, where the public cloud and ancillary dedicated infrastructure converge. IDC predicts that by next year, 80 percent of organizations will be committed to hybrid cloud architectures. But many firms still struggle with cloud security management, with more than half citing security as their greatest challenge. Especially as internal departments outside of IT interact with these platforms, simple mistakes and security knowledge gaps can escalate into more serious issues.
Hybrid cloud platforms don’t introduce new challenges as much as they bring existing problems within an organization to light by just moving them into the newly architected world. A security-conscious cloud posture starts with identifying gaps in your current IT processes, and harnessing the right mix of internal IT expertise and governance to bridge them, versus making point specific decisions to just “move it to the cloud.” Here are a few best practices businesses should have in place as they become more reliant on hybrid cloud platforms:
- Get serious about shadow IT: When line of business (LOB) teams work within a hybrid cloud environment without the IT department’s knowledge or support, security vulnerabilities are sure to follow. Given that many employees using these platforms come from non-technical backgrounds, most simply don’t know the potential risks associated with the cloud – let alone understand the distinction between public and private clouds.
Easily accessible, user-friendly interfaces may enable other departments to bring cloud resources into the fold with minimal effort, but a team that drives IT governance must be kept in the loop. This governance isn’t in place to babysit, but to ensure protection without interfering with development and respective progress. Without this involvement, basic security measures are often overlooked, such as changing default passwords and closing unused ports. While it’s tempting for teams to use a cloud platform without internal IT intervention, business leaders need to emphasize the risks they take in doing so. Organizations also should identify and eliminate obstacles that deter teams from reaching out to IT for project support. Step one to resolving cloud-based security vulnerabilities is achieving full awareness of organizational cloud use and the subsequent education as a feedback loop to those initiating such use.
- Centralize cloud management: Even when organizations include IT staff in cloud projects, platform management is often poorly defined. Organizations may even have multiple departments forming independent business relationships with the same cloud vendors, creating more security endpoints to manage and increasing the probability that risks go unnoticed. Businesses can't afford to let hybrid cloud management fall to a handful of project managers without security expertise or visibility into how other teams use the tools.
Organizations should treat hybrid cloud similarly to other technology resources: available to any team that needs them, but managed by a central support organization. It's unrealistic to ask every user to educate themselves about how and why they should disable root accounts or enable role-based access controls (RBAC), but businesses already have a proven model for deploying and supporting IT resources internally. There’s no reason to reinvent the wheel with regard to managing a hybrid cloud. Organizations should apply the lessons learned from managing other technologies – especially the security benefits of consolidation under an internal platform expert – to their current endeavors.
- Prioritize data security: When organizations make use of a hybrid cloud environment, they often do so to solve an immediate problem without thought toward how the project will evolve, where data is stored and how it is protected through its evolution. If they have not already, leadership must develop governance policies to guide what safeguards should be applied to their data, especially personally identifiable information (PII). Whenever data is transferred between private and public clouds or across different cloud platforms, IT must understand how that data needs to be encrypted.
IT also requires a stronger understanding and precise documentation of how applications interact with their infrastructure. As hybrid cloud use increases, projects will grow to include not only tech support professionals, but internal developers as well as LOB teams and managers. More complex projects can amplify deficiencies in cloud security, making it especially important for organizations to develop best practices before an incident arises. Application mapping and infrastructure audits help your organization maintain good security hygiene.
Hybrid cloud platforms offer a wealth of opportunities to embrace rapid scalability and greater LOB independence. Unchecked, however, that independence can also become a liability, creating a network of unmanaged and unsecured platforms that place sensitive data at risk. Organizations must work to balance internal teams’ newfound freedom against data security, involving IT throughout the process and developing best practices around how data is transported and secured.
Creating these processes early on also presents scalability benefits for organizations. When security is managed properly from a project’s inception, it is much easier to transfer an application to the public cloud with fewer possible concerns around compliance or liability. To get the most out of their hybrid cloud environments, businesses first need to embrace the mantra: security governance will accelerate business opportunities.
Brett Moss is senior vice president and general manager at Ensono.