Hybrid cloud security continues to pose a barrier to enterprise cloud adoption, and both enterprises and cloud service providers (CSPs) share responsibility for coming up with secure cloud solutions. In the TechTarget article, “Five Hybrid Cloud Security Issues to Overcome,” Dan Sullivan comments on issues that should be included in the planning cycle at the beginning of a hybrid cloud deployment, including planning and developing:
- Data redundancy
- Risk management
- Security management
Because each of these are extremely important to address some of the more common hybrid cloud security issues that enterprises face, I’d like to probe into them a bit deeper.
While making sure there are multiple copies of data items is an important element of an implementation plan, it’s also wise to consider encryption for both data in motion and data at rest to reduce the attack surface of the application, especially for traffic traveling over the public internet. It is also a good idea to look into data compression and deduplication – to reduce the amount of data, both when the data is at rest and in motion. When the data is at rest, compression and deduplication could reduce storage requirements and thus, storage costs. When the data is in motion, compression and deduplication can be thought of as additional components for reducing the attack surface and decreasing transport costs and time.
With hybrid cloud infrastructures, both the enterprise and cloud provider share in the management of risk. Enterprise IT administrators have their own ways of dealing with things when something goes wrong, and CSPs also have their own processes and procedures that are generally tied to meeting customer service level agreements (SLAs). Both must be honored to address issues as they arise. It would be prudent for the enterprise to understand CSP processes and procedures, and how long it takes to work through them to minimize enterprise risk should something go wrong. This means that enterprise IT administrators should have a well-considered risk management plan, work through that plan with the service provider, and have confidence that the plan works long before something breaks.
Security, unfortunately, is often a neglected area of planning until the enterprise itself or one of its partners experiences a breach, data loss and the unfortunate side effects of lost credibility and, quite possibly, fines and exposure to litigation. A comprehensive security plan should be in place for each application, regardless of where it is hosted – locally or in a cloud service provider’s data center. This plan should include the ability to control and monitor who accesses the application, and where and when they do so.
It is also wise to have a detailed understanding of and the monitoring capability for knowing how and when each application component accesses data, system services and other application components. The monitoring tools should make it quickly apparent when someone inserts themselves into the middle of application processing as part of a “man in the middle attack” to grab data as it goes by or to insert data into the data stream itself.
Leverage direct, private interconnection
We strongly advise using encryption when moving cloud traffic over the public internet, but encrypted data is not totally immune to increasing malware threats, and the public internet presents an expansive attack surface. According to the Cisco “2016 Midyear Cybersecurity Report,” Transport Layer Security (TLS), the dominant protocol used to provide encryption for network traffic, is increasingly becoming the favorite target of hackers. As much as 60% of all network traffic uses TLS for encryption, and in malware samples studied by the Cisco researchers, about 10% of them used TLS. This may seem like a small percentage now, but the Cisco researchers expect it to rise as the “overall use of encryption in benign traffic increases.”
Direct interconnection between private and public cloud services that bypasses the public internet enables companies to establish a secure route for their application workloads and data. In addition, direct interconnection to cloud services out at the corporate network edge eliminates the risk of backhauling cloud traffic over the internet or a corporate WAN where multiple hops between routers can also open up opportunities for cyberattacks. Direct and secure interconnection to clouds at the edge also allows enterprises to deploy security services close to users, applications and data that rely on safe access to hybrid cloud services, especially for data that has to meet strict regulatory and compliance standards.
Don’t go it alone
Planning a secure hybrid cloud infrastructure can be challenging, mainly because many enterprises don’t have available staff or expertise. In RightScale’s “2016 State of the Cloud Report,” IT professionals surveyed cited the lack of cloud resources/expertise and security as the top two challenges to cloud adoption.
Look for a partner that has broad cloud expertise and experience, as well as access to a dense ecosystem of cloud and cloud security service providers that offer solutions such as Infrastructure-Protection-as-a-Service or protection against DDoS attacks.
Also, reach out to an expert resource such as Equinix Professional Services for Cloud that can help you quickly and effectively plan, develop and execute your hybrid cloud infrastructure and find a cloud security partner to ensure it’s secure.