Security in Hybrid Cloud

Many organizations still think of security in terms of legacy infrastructure, in which they can touch and feel a physical device.  Being able to see the device mounted in the rack, to see the lights flicker and see the cords and cables neatly strung make us feel like the device is safe and secure.  This gives us security professionals a good gut feeling; that we are able to have visibility from layer one (physical) up to layer seven (application) of the Open Systems Interconnection (OSI) Model.

In the early days of Information Technology (IT), before the Internet of Things (IoT), the Cloud and hybrid infrastructure, IT departments and systems administrators had, what they felt, was complete control of IT systems and security controls.  It is no surprise that when organizations think of the “Cloud” they immediately assume the loss of physical control means a loss of security ownership. 

Security within the dynamic infrastructure of Hybrid Cloud is often perceived as a near-impossible challenge with many barriers.  The Hybrid Cloud infrastructure includes workloads within the public cloud and private cloud.  This encompasses Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).  Managing and securing access to these systems for customers, partners, vendors and employees from multiple devices types and from multiple networks can be burdensome.   An organization’s overall security strategy must include this hybrid access methodology, as well as the traditional on-premise infrastructure as well. 

One important barrier to overcome is for Cloud customers to understand the shared security model with their Cloud provider.  The Cloud provider delivers foundational services for all its customers, like computing power, storage capabilities, database consumption and network connectivity.  Cloud providers have security tools in place to manage and monitor these foundational services for all of their customers.  Once the customer is given access to their system, all the components within that system are the customer’s responsibility to secure. 

Cloud customers want to take advantages of the benefits of the Cloud versus on-premise, like the easy scalability and capacity to deploy and decommission new Cloud systems in real-time.  These new Cloud systems can be pre-configured with security features already enabled (as part of a pre-set image) and deployed within a specific security zone by design.  In order to take advantage of this, organizations should integrate the native Cloud security features built-in by their provider.  This includes built-in security groups for access control, tags (or labels) to organize and group assets in order to create security processes and technology commensurate with those assets.  A Virtual Private Cloud (VPC) can be designed as a network segmentation solution, so that each VPC can be managed and monitored in accordance with their level of data sensitivity.

With Cloud innovations growing exponentially there are many security technology options that include encryption, anti-virus, file integrity management, identity and access management, vulnerability testing, email encryption, intrusion detection, DDOS, anomaly detection, virtual private network (VPN), host-based and web application firewalls, along with log collection, analysis and correlation.  Also, organizations need to have people and processes focused on the care and feeding of these technology solutions.

The top two attack vectors in the Cloud and in on-premise infrastructures are application attacks and account username and password attacks.  Web applications vulnerabilities are well-known. Once an attacker has exploited web application code, the next objective is to gain access to accounts on the system.  Therefore, no matter where you are hosting web application code, it is imperative to have security at the web application layer along with a well-managed and robust account management strategy.

The complexities in securing a Hybrid Cloud infrastructure are less about the security features and capabilities within the Cloud and more about dedicating time and resources to learning the new tools.  Most organizations will need to train their security operations staff new technical skills for configuration and management of these tools.  Also, organizations should have well-defined processes specific to the people and technology to ensure clear situational awareness of the Cloud environment.

Fundamental security solutions are available as part of the overall Cloud solution.  These security solutions vary amongst Cloud providers and they may be implemented differently and therefore require extra effort at the beginning of a Cloud migration project.  Furthermore, most Cloud providers have Cloud security partners that provide managed and/or professional security services.  If an organization wants to get started in the Cloud, but lack the expertise, it is highly recommended to use a managed security services provider to monitor the security of your Hybrid Cloud infrastructure.  It allows for your team to focus on the business side of migrating to the Cloud, while a 24x7 operational team of security experts provides piece of mind that your Hybrid Cloud infrastructure is properly protected.

Security starts with knowing your part
To learn more about the Shared Security Model, download this Shared Security Responsibility whitepaper.

Download Whitepaper

About the Author

Paul Fletcher - Cyber Security Evangelist at Alert Logic

Paul Fletcher

Paul Fletcher has over 20 years of experience in information technology and security. Prior to joining Alert Logic, Fletcher advised executives in the energy, retail, and financial sectors regarding emerging security threats and mitigation strategies. Additionally, he has worked with Fortune 50 organizations, the Department of Defense, and critical infrastructure organizations to implement risk management plans and security solution designs. His other specialties include network security, customer data integrity, application security, forensics investigation, threat intelligence, and incident response. Fletcher holds a Master of Arts and Bachelor of Science degree and is a Certified Information Systems Security Professional (CISSP).

@_PaulFletcher | More Posts by Paul Fletcher