Why organizations need to embrace new thinking in how they tackle hybrid cloud security challenges

Hybrid cloud computing enables organizations to deploy sensitive workloads on-premise or in a private cloud, while hosting less business-critical resources on public clouds. But despite its many benefits, the hybrid environment also creates security concerns. AlgoSec’s co-founder and CTO, Prof. Avishai Wool shares his expert insights on these concerns and offers best practices to boost hybrid cloud security.

Hybrid cloud computing combines on-premises infrastructure, private cloud services, and one or more public clouds. Going hybrid provides businesses with enhanced flexibility, agility, cost savings, and scalability to innovate, grow, and gain a competitive advantage. So, how can you simplify and strengthen security operations in the hybrid cloud?

It all starts with visibility – you still can’t protect what you can’t see

To protect their entire hybrid infrastructure, applications, workloads, and data, security teams need to know what these assets are and where they reside. They also need to see the entire hybrid estate and not just the individual elements.

However, complete visibility is a serious hybrid cloud security challenge. Hybrid environments are highly complex, which can create security blind spots, which then prevent teams from identifying, evaluating, and most importantly, mitigating risk.

Another hybrid cloud security concern is that you cannot implement a fragmented security approach to control the entire network. With thousands of integrated and inter-dependent resources and data flowing between them, vulnerabilities crop up, increasing the risk of cyberattacks or breaches. For complete hybrid cloud security, you need a holistic approach that can help you control the entire network.

Is DevSecOps the panacea? Not quite

In many organizations, DevSecOps teams manage cloud security because they have visibility into what’s happening inside the cloud. However, in the hybrid cloud, many applications have servers or clients existing outside the cloud, which DevSecOps may not have visibility into. Also, the protection of data flowing into and out of the cloud is not always under their remit.

To make up for these gaps, other teams are required to manage security operations and minimize hybrid cloud risks. These additional processes and team members must be coordinated to ensure continuous security across the entire hybrid network environment. But this is easier said than done.

Using IaC to balance automation with oversight is key, but here’s why you shouldn’t solely rely on it

Infrastructure as code (IaC) will help you automatically deploy security controls in the hybrid cloud to prevent misconfiguration errors, non-compliance, and violations while in the production stage and pre application testing. With IaC-based security, you can define security best practices in template files, which will minimize risks and enhance your security posture.

But there’s an inherent risk in putting all your eggs in the automation and IaC basket. Due to the fact that all the controls are on the operational side, it can create serious hybrid cloud security issues. And without human attention and action, vulnerabilities may remain unaddressed and open the door to cyberattacks.

Since security professionals who are not on the operational side must oversee the cloud environment, it could easily open the door to miscommunication and human errors – a very costly proposition for organizations. For this very reason, you should also implement a process to regularly deploy automatic updates without requiring time-consuming approvals that slow down workflows and weaken security. Strive for 95% automated changes and only involve a person for the remaining 5% that requires human input.

Hybrid cloud security best practices – start early, start strong   

When migrating from on-prem to the cloud, you can choose a greenfield migration or a lift-and-shift migration. Greenfield means rolling out a brand-new application. In this case, ensure that security considerations are “baked in” from the beginning and across all processes. This “shift left” approach helps build an environment that’s secure from the get-go. This ensures that all team members adhere to a unified set of security policy rules to minimize vulnerabilities and reduce security risks within the hybrid cloud environment.

If you lift-and-shift on-prem applications to the cloud, note any security assumptions made when they were designed. This is important because they were not built for the cloud and may incorporate protocols that increase security risks. Next, implement appropriate measures during migration planning. For example, implement an Application Load Balancer if applications leverage plaintext protocols, and use sidecars to encrypt applications without having to modify the original codebase. You can also leverage hybrid cloud security solutions to detect and mitigate security problems in real-time.

Matching your cloud security with application structure is no longer optional

Before moving to a hybrid cloud, map the business logic, application structure, and application ownership into the hybrid cloud estate’s networking structure. To simplify this process, here are some tried and proven ways to consider.

• Break up your environment into a virtual private cloud (VPC) or virtual network. With the VPC, you can monitor connections, screen traffic, create multiple subnets, and also restrict instance access to improve security posture.
• Use networking constructs to segregate applications into different functional and networking areas in the cloud. This way, you can deploy network controls to segment your cloud estate and ensure that only authorized users can access sensitive data and resources.
• Tag all resources based on their operating system, business unit, and geographical area. Tags with descriptive metadata can help to identify resources. They also establish ownership and accountability, provide visibility into cloud consumption, and help with the deployment of security policies.

Conclusion

In today’s fast-paced business environment, hybrid cloud computing can benefit your organization in many ways. But to capture these benefits, you should make an effort to boost hybrid cloud security. Incorporate the best practices discussed here to improve security and take full advantage of your hybrid environment.

To learn more about hybrid cloud security, listen to our Lessons in Cybersecurity podcast episode or head to our hybrid cloud resource hub here.