Most organizations today are operating within a hybrid cloud environment, where the IT enterprise is made up of both on-prem hardware and public cloud-hosted services. While the public cloud offers significant advantages that organizations must leverage in order to remain competitive, many legitimate factors keep IT enterprises tethered to legacy on-prem data centers. The challenge for most organizations is ensuring that the business benefits of a cloud transformation aren’t outweighed by the new risks affecting data in the cloud, and/or by the new costs associated with managing both environments.
Yes, there are “orchestration” platforms that help to bridge the divide between on-prem and cloud infrastructure, and organizations should strive to minimize the differences between deploying certain workloads (e.g., application deployments) to on-prem vs. cloud-hosted infrastructure. But most organizations struggle with fundamental issues that make it difficult to efficiently assimilate these two worlds.
The reason for this is simple – what works on prem doesn’t always work in the cloud. The technology is different, the threats are different, the security controls are different, and the skills necessary to design and maintain defensible solutions are different. Your organization may have sound processes and tools for managing on-prem data and infrastructure, but you should not assume that those processes and tools are portable to the cloud in the same way that a virtual machine is.
Navigating Two Completely Different Realms
Hybrid cloud creates security governance challenges for the CIO and CISO. They have to understand the different capabilities and risks that exist within the two (or more) environments and use that understanding to ensure that security requirements are met. Doing so will require leaders to foster tight cooperation between legacy IT staff and cloud SMEs.
In my time working to build secure environments for government agencies and private enterprises, I’ve witnessed the friction between legacy enterprise IT security practices and cloud security best practices. Often, these environments may be largely governed separately, even though they are inextricably linked. As a result, a CISO or CIO might find themselves getting a fragmented answer to important questions like, “Are all of our servers patched?” or “what resources are accessible by this compromised user’s credentials?”
Securing Your Hybrid Cloud Environment
Ultimately, the job of managing the security of cloud or on-prem resources is challenging enough independently. The bigger challenge is creating an overarching security architecture and governance structure for the entire organization that works. Here are four things that CIOs and CISOs need to get right if they’re going to effectively secure a hybrid cloud environment:
- Get control over the inventory of all IT assets.
It’s one thing to be able to identify all of the devices that are plugged into your network and know which ones hold sensitive data; it’s another thing to do the same for virtual instances running in your cloud environment. Being able to identify all resources in the enterprise – whether those are computers, mobile devices, virtual machines, containers, or other more ephemeral things such as sensitive data traversing a mesh of microservices – can be a lot more difficult in a hybrid cloud. While the tools might be different for inventorying physical and virtual resources, it’s essential that IT and Security departments establish a central way to view, track and manage these resources across all environments.
- Managing identities and access, both on-prem and in the cloud.
Every IT organization has at least one database of users and what they’re allowed access to, for example Windows Active Directory. This could work exceptionally well in the on-prem environment, but identities, entitlements, and the associated security controls are very different in the cloud. In a hybrid cloud environment, the organization will have many different types of resources, different types of identities, and different identity stores. It’s critically important for organizations to have a central, authoritative point from which to handle identity and access management across the hybrid environment. Doing this while still adhering to the “principle of least privilege” is one of the biggest challenges to effective and secure cloud transformations. There are of course good tools that make this job a lot easier, but the challenge is for leadership to instill an architecture and the requisite practices to enable identity governance for the enterprise.
- Implement integrated security information and event management.
In a hybrid cloud environment, there can be an overwhelming number of systems and services that produce security event data and alerts. In theory, these alerts and logs should be aggregated into a central location where they can be analyzed and correlated in order to provide threat hunters with a comprehensive view of potential threats to the enterprise. In practice, however, this usually presents some challenges and trade-offs. Sending event data out of the cloud and down to on-prem legacy SIEM is costly, and legacy SIEM may not offer the best features for correlating cloud and on-prem events. Cloud-native SIEM tools are well-suited to monitoring cloud services, and these platforms are able to update features and leverage threat intelligence in ways that on-prem tools can’t. But migrating event data and dashboard content from legacy on-prem to cloud-native SIEM may be impractical. As a result, getting that comprehensive view of activity across all IT resources can be a significant challenge. Regardless of where events are generated, collected, and analyzed, the SOC and Engineering teams will need to have a complete understanding of the enterprise and ensure that relevant data is available to meet security monitoring use cases that span both on-prem and cloud environments.
- Establish effective data protection policy enforcement for on-prem and cloud.
Even if the organization has established effective data governance policies as to who can access what data in what circumstances, the policies need to be enforced and monitored for compliance. The tools and techniques to enforce these policies in the cloud environments are different than for on-prem environments. A successful hybrid cloud deployment requires universal data protection (including encryption, access controls, and backups) across both on-prem and cloud environments.
Addressing each of the four challenges above will be difficult but shouldn’t seem daunting. In fact, there are excellent products and solutions in the marketplace that can help with each of them. But deploying technology solutions won’t necessarily improve the bigger picture of security governance, especially if the solutions aren’t deployed comprehensively and cohesively, or if they can be subverted by weak policy enforcement or rogue IT.
This is why it’s important for organizations to work with trusted partners that have expertise in the hybrid cloud environment and have worked through these issues at the enterprise level. The right partner will help organizations cut through the noise of the security product marketplace, enable the visibility and control needed to manage the hybrid cloud, and help to establish security governance that works across the enterprise.
Cloud Security Solutions
Steve Jones is a cybersecurity executive with over 20 years’ experience in the industry. Steve founded Signal Hill to help solve the largest cyber threat challenges facing government agencies, military organizations, and enterprises in highly regulated industries.