Hybrid cloud infrastructure and environments are fast becoming the go-to for many companies
In fact, 39% of businesses are now using hybrid cloud for their business operations and that figure is expected to continue rising in 2021.
A hybrid cloud is an environment that takes advantage of a mixture of on-premise, private cloud, and public cloud services to give businesses more flexibility and choice in how they process information with greater speed and agility through cloud enablement. It can even, when executed properly, improve an organisation’s security posture. Hybrid cloud, for example, enables companies to improve their scalability and control, while also fortifying their security and risk management in order to remain agile and competitive.
However, embracing and adopting a hybrid cloud environment comes with its own set of unique challenges, and requires careful planning and a rethink of security policies and procedures. Proactive cloud security should be at the forefront of every business looking to minimise security risks while making full use of the benefits of hybrid cloud.
Hybrid vs On-Premise
In a traditional IT environment, data and services are hosted on-premise, or a third-party data center. The benefits to traditional IT systems include more control over how data is stored and transferred and the use of technologies with which employees have more training and experience. However, traditional infrastructure often suffers from lack of flexibility to scale up or down (leading to over and under capacity). It is also less flexible if a business’s goals include quickly adding new services that require rapid provisioning of new infrastructure components.
There are three general categories of cloud infrastructures:
Public Cloud infrastructure runs on publicly available commercial services, like Google Cloud, Amazon Web Services, and Microsoft Azure.
A Private Cloud may use similar virtualisation and management technologies such as public cloud platforms but instead runs them from hardware and data-center space controlled by the business itself.
A Hybrid Cloud environment takes advantage of on-premise, private cloud, and public cloud services, providing businesses with the speed and agility of cloud computing as well as the flexibility to keep more sensitive data on-premise.
From a risk management perspective, hybrid cloud shines. Consider the healthcare industry as one example. Healthcare businesses need to collect, maintain, and process a wide range of information. Some of it is personal data (PD) or protected health information (PHI). Regulatory frameworks, such as HIPAA, dictate enhanced data security measures for patient information.
Healthcare organisations also process large amounts of data that is less sensitive than the actual PD/PHI. A hybrid cloud environment gives a healthcare business the infrastructure to handle these different kinds of data: it can keep PD on premises where it has control all the way down to the physical layer, but store and process less sensitive data via more scalable and flexible cloud services.
Hybrid cloud also helps businesses take advantage of their existing infrastructure. Despite the cloud being portrayed so often as a new frontier, the reality is far more gradual than that. After all, as businesses consider cloud technologies, they still have technology in use that they cannot and should not stop using immediately. They have hardware that is still amortising, or they are locked into a data center contract. Hybrid cloud brings the best of both worlds.
For example, consider a business that is incorporating broader data analytics. Hybrid cloud can be the right solution for building and expanding a Hadoop cluster: more sensitive data can be stored and processed on-premises, while the storage and analysis of less sensitive data can happen in the cloud where the business may be able to achieve better performance and broader data visibility. With a thoughtful hybrid cloud plan, businesses can make the most of their existing infrastructure while embracing the speed and nimbleness of the cloud.
Best practices for hybrid cloud security
Though embracing a hybrid cloud environment can be challenging, keeping in mind these best practices can help businesses adopt it as smoothly and securely as possible.
Interoperability and secure configuration
When designing a hybrid cloud plan, a business usually must bring in new platforms and technologies alongside existing ones. This is one of the advantages of a hybrid cloud, being able to reap the benefits of the cloud’s flexibility and scalability while continuing to use existing technologies. However, integrating these parts of a hybrid cloud environment raises important questions of how well cloud platforms work next to the existing solutions and how to configure the system and its components securely.
To confront these challenges, businesses must ask questions about interoperability and security at the beginning of the architecture phase. They need to have people with the right expertise to answer them and help shape their plan. That way, the hybrid cloud strategy can go from concept to execution as smoothly as possible, meeting both business and security goals along the way.
Visibility and automation
As infrastructures scale into the cloud, security monitoring needs to scale with them. At the scale of hybrid cloud, manual procedures for reviewing and contextualising security data become asynchronous, making them ill-suited for identifying anomalies as quickly as necessary to mitigate damages. Hybrid cloud environments benefit greatly from security automation. Applications in production environments need to be configured to produce the relevant logs and security data. A central system needs to be designed to intake that information, process it, and get as close to real-time threat detection and mitigation as possible.
This does not mean less need for expert security analysts. On the contrary, analysts are as crucial as ever for securing a hybrid cloud environment. However, those analysts need to be familiar with both on-premise and cloud technologies, knowledgeable about designing and optimising the scripts behind the automation, and ready to investigate incidents in the hybrid cloud environment.
Data security considerations
A range of data security questions arise in any cloud environment. Modern data security laws, like HIPAA, GDPR, and the California Consumer Privacy Act, put more stringent data protections in place than ever before. Though compliance can be complex, a well-thought-out hybrid cloud plan can help a business rise to the challenge.
Both security best practices and modern data security laws demand encryption of data both at rest and in transit. With some data and services on-premise and others in the cloud, any hybrid cloud plan needs to consider the business’s complex data processing needs. It should also include a design for a secure and available connection between on-premise infrastructure and cloud infrastructure.
Identity and Access Management (IAM) policies also weave in questions of data security, since strong IAM policies ensure that access to information is restricted correctly. Implementing IAM correctly in a hybrid cloud environment requires a broad range of expertise since on-premise and cloud solutions implement IAM differently based on level of control. However, when used correctly, the granular policy options available in cloud solutions can increase data security by more tightly enacting the concept of least privilege.
Data residency is another question that arises in any kind of cloud infrastructure, including hybrid, since which regulations apply to certain data is determined, at least in part, by where that data is located. Hybrid cloud has some advantages in this regard: after all, with on-premise infrastructure as part of a hybrid cloud setup, businesses can keep their most sensitive data where they have the most control over it.
Collaboration is key
Hybrid cloud architecture and security expertise can be difficult to find, and that knowledge is something that even the largest companies do not necessarily have internally. Bringing in a third party with that experience is often a necessity. Experience is only part of the picture, however. Businesses also need to consider a partner’s approach. A hybrid cloud, by nature, is not one-size-fits-all. To succeed in designing and securing hybrid cloud infrastructure, a partner needs to collaborate with the business to know the cloud technologies, know how they can work in concert with existing technology.
Most businesses are using a mix of on-premise and cloud technologies anyway, and a secure hybrid cloud allows companies to make the most of their existing infrastructure while embracing the flexibility and scalability of the cloud. Though there are challenges, it boils down to having the knowledge to identify and implement the right solutions.
About the Author
Altaz Valani is Director of Insights Research at Security Compass. Security Compass, a leading provider of cybersecurity solutions and advisory services, enables organizations to adopt Balanced Development Automation for rapid and secure application development. With their flagship product, SD Elements, the company helps automate significant portions of proactive manual processes for security and compliance that improves time to market for new technology.
Featured image: ©Blackboard