Hybrid Cloud Security fundamentals: 4 things your business needs to know
Security must be a crucial piece of your overall Hybrid Cloud strategy.
23 August 2018
As Cloud adoption continues to build many organisations are looking at Hybrid Cloud – a mix of On-Premise, Private and Public Cloud deployments – as a necessary step towards a more immersed Cloud deployment agenda. In fact, with the likelihood that some workloads will remain On-Premise indefinitely, Hybrid will move to become the standard deployment model sooner rather than later. Hybrid Cloud isn’t the future; it’s the right now.
Adopting Cloud – whichever approach is chosen – is a significant IT change. Security must be a crucial piece of your overall Hybrid Cloud strategy; otherwise new security risks will be introduced without a plan for mitigation. Even - or perhaps, especially - in Hybrid Cloud environments, the security buck stops with you. With the above in mind, let’s look at four key Hybrid Cloud security issues that your business needs to know:
- Embed security from the bottom, from the start: By its nature, a Hybrid requires security management across a variety of infrastructures: On-Premise, Private Cloud, Public Cloud. Practical Hybrid Cloud management will unify these under a single management interface. Organisations should be sure to adopt a similar approach to security, with risks determined and mitigated as part of the design and deployment phase, not tacked on as an afterthought when compromises will be inevitable.
- Perimeters are wider, so security needs to be wider too: Traditional tools and strategies for defending an IT infrastructure will no longer be adequate when moving to a Hybrid model, as the perimeter will be difficult or impossible to define. Workloads will be running in different environments, with deployments and data straddling traditional On-Premise infrastructure, Private and Public Cloud platforms. This means new approaches and best practices will be needed to ensure security of data across these varied environments. By definition, a non-uniform infrastructure cannot have a uniform approach, so each workload’s security requirements will need to be addressed individually.
- Beware of Shadow IT: Hybrid Cloud deployments provide the scale and lexibility that today’s businesses demand. Applications and workloads installed across multiple environments brings all the benefits of the Hybrid approach; however, this also introduces risk.
The encroachment of Shadow IT is an increasing threat; that is, applications and infrastructure that are deployed without the approval (or sometimes even knowledge!) of the central IT department. Examples of these include software-based versions (as opposed to the web versions) of Dropbox, Netflix, WinZip or Spotify. Software asset management, governance, standards, change control and configuration management all bring security issues where Shadow IT has been deployed, so businesses need to determine how and when to tackle the threat of Shadow IT.
Don’t offload 100%: Smaller businesses might be tempted to blindly trust a Cloud provider for their entire infrastructure and associated security. However, businesses should not assume that all Cloud providers will have security standards in place to ensure ongoing protection and compliance, and simply moving some or all of this risk to a Cloud provider may not actually address it. Therefore, it might be appropriate to spread the load across multiple providers or, in some cases, retain some data locally.
In summary, keep providers accountable for their security. Ensure data is encrypted and not accessible outside your perimeter. Be sure that these details are covered within contracts and review these regularly. Keep your crucial data close and backed up.
Hybrid Cloud is scalable, flexible and cost-effective but it’s also simply a means to an end. It’s your data, and it’s down to you to look after it. For an insight into the WHAT, WHY and WHO of the Cloud and to help you develop a viable blueprint for migration, join us in Leeds for our Cloud 101 event on the 19th September.
Author: Andrew Wild, Cloud Product Manager at GCI